Latest revision as of 10:50, 31 January 2017

Things to audit

Sensitive, well known security Groups (Domain Admins, Enterprise Admins, Administrators) and its members
Issued Certificates for users in sensitive, well known security groups
Issued Certificates with Authentication Mechanism Assurance
ACL on root
ACL on OU's/Users/Groups
ACL on AdminSDHolder
ACL on GPO's
ACL with replication permission
Passwords of users
Kerberos keys, golden/silver tickets/krbtgt hash
Kerberoast
Unexpected User User Account Control values
- Store password using reversible encryption on accounts
SIDHistory values

@@ Line 10: / Line 10: @@
 * ACL with replication permission
 * Passwords of users
-* Kerberos keys, golden tickets
+* Kerberos keys, golden/silver tickets/krbtgt hash
+* Kerberoast
 * Unexpected User User Account Control values
+** Store password using reversible encryption on accounts
 * SIDHistory values
 *
 ==In Config Partition==
+*
 ==In DNS==
@@ Line 26: / Line 28: @@
 * Definition of logon/startup scripts
 * Modification of logon/startup scripts in sysvol
-*
+* Unexpected User Rights Assignments
+** [http://www.harmj0y.net/blog/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/ SeEnableDelegationPrivilege]
 ==On DC==
+* Effective GPO settings (see above)
 * [https://mendel129.wordpress.com/tag/password-filter-a-dll/ Password Filter]
 * DSRM Password
-* DSRMv2
+* [https://adsecurity.org/?p=1785 DSRMv2]
 * All [https://technet.microsoft.com/en-us/sysinternals/bb963902.aspx?f=255&MSPPError=-2147217396 autorun values]
-* [https://adsecurity.org/?p=1785 Malicious Security Support Provider (SSP)]
+* [https://adsecurity.org/?p=1760 Malicious Security Support Provider (SSP)]
 *
+= Sources =
+* https://adsecurity.org/?s=sneaky
+* https://adsecurity.org/?p=2293
+* https://jumpespjump.blogspot.be/2015/03/thousand-ways-to-backdoor-windows.html