Powershell Kerberos Module [BETTER]
The Azure AD Hybrid Authentication Management module enables hybrid identity organizations (those with Active Directory on-premises) to use modern credentials for their applications and enables Azure AD to become the trusted source for both cloud and on-premises authentication.
Powershell Kerberos Module
I do administration for a lot of Office365 tenants using Powershell delegated remote access to the customers exchange server. I used a method described here: -us/office365/enterprise/powershell/manage-office-365-tenants-with-windows-powershell-for-delegated-access-permissio
While Ansible has supported Kerberos auth through pywinrm for sometime, optional features or more secure options may only be available innewer versions of the pywinrm and/or pykerberos libraries. It isrecommended you upgrade each version to the latest available to resolveany warnings or errors. This can be done through tools like pip or asystem package manager like dnf, yum, apt but the packagenames and versions available may differ between tools.
The hostname set for the Windows host is the FQDN and not an IP address.* If you connect using an IP address you will get the error message Server not found in Kerberos database.* To determine if you are connecting using an IP address or an FQDN run your playbook (or call the win_ping module) using the -vvv flag.
If the default kerberos tooling has been replaced or modified (some IdM solutions may do this), this may cause issues when installing or upgrading the Python Kerberos library. As of the time of this writing, this library is called pykerberos and is known to work with both MIT and Heimdal Kerberos libraries. To resolve pykerberos installation issues, ensure the system dependencies for Kerberos have been met (see: Installing the Kerberos Library), remove any custom Kerberos tooling paths from the PATH environment variable, and retry the installation of Python Kerberos library package.
Using the variables above, Ansible will connect to the Windows host with Basicauthentication through HTTPS. If ansible_user has a UPN value likeusername@MY.DOMAIN.COM then the authentication option will automatically attemptto use Kerberos unless ansible_winrm_transport has been set to something other thankerberos.
ansible_winrm_transport: Specify one or more authentication transportoptions as a comma-separated list. By default, Ansible will use kerberos,basic if the kerberos module is installed and a realm is defined,otherwise it will be plaintext
ansible_winrm_send_cbt: When using ntlm or kerberos over HTTPS,the authentication library will try to send channel binding tokens tomitigate against man in the middle attacks. This flag controls whether thesebindings will be sent or not (default: yes).
Implicit PSRemoting may looks like you are running the commands locally within your PowerShell session, but they are actually running on a remote machine. A good example of this is using a module that is not installed on your system. Instead of installing it locally you can export commands from a PSSession which will allow you to run them as if they were installed locally.
Next if that module is imported, I can then execute the Test-PendingReboot command. This is shown below, but you will notice that it shows that the computer name in the output is not the name of the device that PowerShell is running from, but the device that the command was imported from.
When you work with Hybrid Cloud Trust, you need the AzureAdKerberos PowerShell module. This module is located in the C:\Program Files\Microsoft Azure AD Connect\AzureADKerberos folder.
The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the Set-ADAccountControl commandlet with specific parameters. Set-ADAccountControl is part of the Active Directory PowerShell module used to manage Windows Active Directory networks. As the name suggests, Set-ADAccountControl is used to modify User Account Control values for an Active Directory domain account. With the appropiate parameters, Set-ADAccountControl allows adversaries to disable Kerberos Pre-Authentication for an account to to easily perform a brute force attack against the user's password offline leveraging the ASP REP Roasting technique. Red Teams and adversaries alike who have obtained privileges in an Active Directory network may use this technique as a backdoor or a way to escalate privileges.
The Kerberos decryption key rollover is performed using Windows PowerShell and the required module will be available on the Azure AD Connect server. The commands should therefore be completed while logged onto the Azure AD Connect server.
The lab consists of two domains with a parent-child relationship: vmware.com and support.vmware.com. Our vRO is located in the vmwre.com domain. We want to add two powershell hosts from both domains using Kerberos Authentication. First we need to edit the Kerberos of the appliance. In our case the files should look like this:
This analytic identifies the execution of the Get-ADUser commandlet with specific parameters. Get-ADUser is part of the Active Directory PowerShell module used to manage Windows Active Directory networks. As the name suggests, Get-ADUser is used to query for domain users. With the appropriate parameters, Get-ADUser allows adversaries to discover domain accounts with Kerberos Pre Authentication disabled.
This analytic identifies powershell.exe usage, using Script Block Logging EventCode 4104, related to querying the domain for Service Principal Names. Typically, this is a precursor activity related to Kerberoasting or the silver ticket attack.
To help gain visibility when PowerShell executes in an environment. PowerShell has gained a tremendous amount of popularity among attackers. Quite a few advanced persistent threat (APT) groups are using similar frameworks to hinder attribution. At least version 5 of PowerShell is required to enable the use of logging features. Enabling this provides PowerShell module logging, script block logging (input/output of commands) and automatic suspicious script detection. It also de-obfuscates encoded PowerShell commands.
The final attack I am going to demonstrate is RDP via Pass The Hash (now this is only possible if restricted admin is enabled on the remote host). There are two ways to do this, the first is by leveraging MimiKatz in the same way we did with powershell, except this time replace powershell.exe with mstsc /restrictedadmin
Creating and Using MSAs Let's dig a little deeper and actually create an MSA, install it on a server, then configure a service to use the MSA. In all cases where you run any of the PowerShell cmdlets, you need to have installed the Active Directory Module for Windows PowerShell, which is part of the Remote Server Administration Tools (RSAT) feature and can be found in the Active Directory Domain Services (AD DS) and Active Directory Light Directory Services (AD LDS) Tools section, shown in Figure 1. These cmdlets need to be on both the computer you're managing the MSA from and the servers that are using the MSA. Next, open a PowerShell window to import the module, called ActiveDirectory, which will enable access to the AD cmdlets. You need to import this anytime you start a new PowerShell instance and want to use the AD cmdlets. To import the module, type
Then I log on to the server that will use the MSA, in my case savdalts01. After I log on, I make sure I have installed the AD module for PowerShell. Then I start a PowerShell window and import the AD module. I then install the MSA:
Confirm the prompt, and this downloads and installs the PnP module for SharePoint Online. This module provides cmdlets that allow you to connect to and manage your SharePoint Online environment easily.
Group Managed Service Accounts are created via the Active Directory PowerShellmodule as there is no facility to do this in the Active Directory Users and Computersadmin tool. The PowerShell module will need to be installed on the workstation thatwill be used to create the accounts as well as the servers that the accounts willbe used on.
Once the MSA has been created, it needs to be installed on the server that itwill be used on. To do this, the Active Directory PowerShell module will need tobe installed on the SQL Servers. Make sure the AD PowerShell cmdlets areinstalled, you can now log in to the server.
The issue is caused by the additional SMS provider added.When we are running remote powershell command, we use a defined credential object to connect to the SCCM server, then from the SCCM server it's trying to load module and authenticate the stored credential to another SMS server. This new SMS server is considered as a second node, and this is going into a second-hop situation, which is documented in below Microsoft Article: -powershell-second-hop-functionality-with-credssp/
If you wish to replicate the Phoenix data to another database using another PowerShell module, you will want to exclude the Columns, Connection, and Table columns from the data returned by the Select-ApachePhoenix cmdlet since those columns are used to help pipe data from one CData cmdlet to another: 350c69d7ab