Hey all, two of my favorite Active Directory auditing tools have been updated in the past couple of weeks – PingCastle and BloodHound! First up is PingCastle which is what I’ll cover today, and then I’ll try to cover BloodHound tomorrow.
Both of these tools are used to audit AD and can give you some really awesome, quick security wins. These things can seem daunting at first, and there are some risks in trying to make the recommended changes. You should use these to gather data, and if you aren’t sure what they are recommending or how to mitigate something, hop in our Slack and ask some questions! We love learning together 🙂
Welcome to PingCastle
The thing I love most about PingCastle is that it’s incredible reports are only surpassed by it’s simplicity of use. I simply can’t praise Vincent enough for his effort to make this so usable.
To get started, head over to https://pingcastle.com/download, click Download, extract PingCastle_220.127.116.11.zip, and run PingCastle.exe and follow the prompts. It’s important that note that administrative privileges are not required for PingCastle, but you may get a few false positives if you have removed/denied domain users permissions on things like GPO’s. Instead of running as Domain Admin, it would be advisable to simply add read permissions to the object it complains about and run it again if you are worried about it (and remove read permissions when done. Here’s what it looks like when I run it:
While this looks really bad (it’s only mildly bad :p), it’s important to read the report and find out why you are getting marked down and whether you may be mitigating in other ways that PingCastle isn’t aware of. For example, the Obsolete OS has to do with an HVAC controller that is detached from the network except for the couple of times a year that the schedules need to be updated.
For us, the big issue above is around unconstrained delegation, but at least it is fairly isolated and buried a few layers deep. We’ve been in process of cleaning these up for a while now (several of these are offline, huzzah!), and it’s probably a good idea to do extra monitoring until they are cleaned up. Also, it’s likely that if you rely on Kerberos delegation for a sensitive account, you will also get dinged for not setting the “this account is sensitive and cannot be delegated” flag. These are both important to work on, but it’s even more important to understand what these mean before messing with them or you will break things.
Don’t worry, it’s about progress
When I first started with PingCastle, we were at 100 on everything except Trusts… It isn’t the most friendly to education because it penalizes stale data (those subs that haven’t logged in for 3 months or computers left off over summer) and similar types of things. Don’t worry too much about all of the red – just read the report and see what you can clean up. Once you’ve made changes, run the report again and see if it is still an issue.
For a more thorough review of PingCastle and its features, you should definitely check out Daniel Card’s blog over here: https://www.pwndefend.com/2020/02/04/active-directory-security-securing-the-crown-jewels-with-pingcastle-2-8-0-0/
Hopefully this can help you spend an hour cleaning things up and make some really awesome changes, and again, if you have any questions, join us on Slack!