Closed
Description
Parent Epic (If Applicable)
https://github.com/elastic/ia-trade-team/issues/276
Summary
Explore how attackers can exploit Active Directory for Credential Access using Relay, spoofing and coercion attacks.
### Tasks
- [x] Build a Lab
- [x] Explore ADIDNS Spoofing
- [x] Explore WSUS Spoofing
- [x] Explore Coercion Attacks
- [ ] Explore PowerShell Tooling
Goals
- Improve coverage for these attacks.
- Gain better knowledge of AD DS.
Resources:
- https://www.netspi.com/blog/technical/network-penetration-testing/exploiting-adidns/
- https://www.netspi.com/blog/technical/network-penetration-testing/adidns-revisited/
- https://www.thehacker.recipes/a-d/movement/mitm-and-coerced-authentications
- https://mayfly277.github.io/categories/ad/
- https://www.akamai.com/blog/security-research/spoofing-dns-by-abusing-dhcp
- https://www.youtube.com/watch?v=u-RsFCXMqfk
- https://www.microsoft.com/en-us/security/blog/2023/03/24/guidance-for-investigating-attacks-using-cve-2023-23397/
PRs
- [New Rule] Potential ADIDNS Poisoning via Wildcard Record Creation #3535
- [New Rule] Creation of a DNS-Named Record #3539
- [New Rules] Potential PowerShell Pass-the-Hash/Relay Script #3543
- [New Rule] DNS Global Query Block List Modified or Disabled #3734
- [New Rule] Potential WPAD Spoofing via DNS Record Creation #3748
- [New Rule] Potential WSUS Abuse for Lateral Movement #3908
- [New Rule] Active Directory Forced Authentication from Linux Host #3912
- [New Rule] Potential Forced Authentication - SMB Named Pipes #3916
- [New Rule] Active Directory Forced Authentication from Linux Host - SMB Named Pipes #3917
- [New Rule] Potential Relay Attack against a Domain Controller #3928