Analytics Story: Sneaky Active Directory Persistence Tricks

Description

Monitor for activities and techniques associated with Windows Active Directory persistence techniques.

Why it matters

Persistence consists of techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access. Active Directory is a centralized and hierarchical database that stores information about users, computers, and other resources on a network. It provides secure and efficient management of these resources and enables administrators to enforce security policies and delegate administrative tasks. In 2015 Active Directory security researcher Sean Metcalf published a blog post titled Sneaky Active Directory Persistence Tricks. In this blog post, Sean described several methods through which an attacker could persist administrative access on an Active Directory network after having Domain Admin level rights for a short period of time. At the time of writing, 8 years after the initial blog post, most of these techniques are still possible since they abuse legitimate administrative functionality and not software vulnerabilities. Security engineers defending Active Directory networks should be aware of these technique available to adversaries post exploitation and deploy both preventive and detective security controls for them. This analytic story groups detection opportunities for most of the techniques described on Seans blog post as well as other high impact attacks against Active Directory networks and Domain Controllers like DCSync and DCShadow. For some of these detection opportunities, it is necessary to enable the necessary GPOs and SACLs required, otherwise the event codes will not trigger. Each detection includes a list of requirements for enabling logging.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Windows AD add Self to Group Account Manipulation TTP
Windows AD Dangerous Deny ACL Modification Domain or Tenant Policy Modification, File and Directory Permissions Modification, Windows File and Directory Permissions Modification TTP
Windows AD Dangerous Group ACL Modification Domain or Tenant Policy Modification, File and Directory Permissions Modification, Windows File and Directory Permissions Modification TTP
Windows AD Dangerous User ACL Modification Domain or Tenant Policy Modification, File and Directory Permissions Modification, Windows File and Directory Permissions Modification TTP
Windows AD DCShadow Privileges ACL Addition Domain or Tenant Policy Modification, Rogue Domain Controller, Windows File and Directory Permissions Modification TTP
Windows AD Domain Root ACL Deletion Domain or Tenant Policy Modification, File and Directory Permissions Modification, Windows File and Directory Permissions Modification TTP
Windows AD Domain Root ACL Modification Domain or Tenant Policy Modification, File and Directory Permissions Modification, Windows File and Directory Permissions Modification TTP
Windows AD GPO Deleted Disable or Modify Tools, Group Policy Modification TTP
Windows AD GPO Disabled Disable or Modify Tools, Group Policy Modification TTP
Windows AD GPO New CSE Addition Domain or Tenant Policy Modification, Group Policy Modification, File and Directory Permissions Modification, Windows File and Directory Permissions Modification TTP
Windows AD Hidden OU Creation Domain or Tenant Policy Modification, File and Directory Permissions Modification, Windows File and Directory Permissions Modification TTP
Windows AD Object Owner Updated Domain or Tenant Policy Modification, File and Directory Permissions Modification, Windows File and Directory Permissions Modification TTP
Windows AD Privileged Group Modification Account Manipulation TTP
Windows AD Self DACL Assignment Domain or Tenant Policy Modification, Account Manipulation TTP
Windows AD Suspicious Attribute Modification Use Alternate Authentication Material, File and Directory Permissions Modification, Windows File and Directory Permissions Modification TTP
Windows AD Suspicious GPO Modification Domain or Tenant Policy Modification, Group Policy Modification, File and Directory Permissions Modification, Windows File and Directory Permissions Modification TTP
Windows Increase in Group or Object Modification Activity Account Manipulation, Impair Defenses TTP
Windows Increase in User Modification Activity Account Manipulation, Impair Defenses TTP
Registry Keys Used For Persistence Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution TTP
Windows AD AdminSDHolder ACL Modified Event Triggered Execution TTP
Windows AD Cross Domain SID History Addition SID-History Injection, Access Token Manipulation TTP
Windows AD Domain Controller Audit Policy Disabled Disable or Modify Tools TTP
Windows AD Domain Controller Promotion Rogue Domain Controller TTP
Windows AD Domain Replication ACL Addition Domain or Tenant Policy Modification TTP
Windows AD DSRM Account Changes Account Manipulation TTP
Windows AD DSRM Password Reset Account Manipulation TTP
Windows AD Privileged Account SID History Addition SID-History Injection, Access Token Manipulation TTP
Windows AD Replication Request Initiated by User Account DCSync, OS Credential Dumping TTP
Windows AD Replication Request Initiated from Unsanctioned Location DCSync, OS Credential Dumping TTP
Windows AD Same Domain SID History Addition SID-History Injection, Access Token Manipulation TTP
Windows AD ServicePrincipalName Added To Domain Account Account Manipulation TTP
Windows AD Short Lived Domain Account ServicePrincipalName Account Manipulation TTP
Windows AD Short Lived Domain Controller SPN Attribute Rogue Domain Controller TTP
Windows AD Short Lived Server Object Rogue Domain Controller TTP
Windows AD SID History Attribute Modified Access Token Manipulation, SID-History Injection TTP
Windows Admon Default Group Policy Object Modified Domain or Tenant Policy Modification, Group Policy Modification TTP
Windows Admon Group Policy Object Created Domain or Tenant Policy Modification, Group Policy Modification TTP
Windows Default Group Policy Object Modified Domain or Tenant Policy Modification, Group Policy Modification TTP
Windows Default Group Policy Object Modified with GPME Domain or Tenant Policy Modification, Group Policy Modification TTP
Windows Group Policy Object Created Domain or Tenant Policy Modification, Group Policy Modification, Domain Accounts TTP
Windows Security Support Provider Reg Query Security Support Provider, Boot or Logon Autostart Execution Anomaly
Windows AD Replication Service Traffic OS Credential Dumping, DCSync, Rogue Domain Controller TTP
Windows AD Rogue Domain Controller Network Activity Rogue Domain Controller TTP

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
CrowdStrike ProcessRollup2 N/A crowdstrike:events:sensor crowdstrike
Sysmon EventID 1 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 12 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 13 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Active Directory Admon Windows icon Windows ActiveDirectory ActiveDirectory
Windows Event Log Security 4624 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 4662 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 4663 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 4688 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 4719 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 4720 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 4738 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 4742 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 4794 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 5136 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 5137 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 5141 Windows icon Windows xmlwineventlog XmlWinEventLog:Security

References


Source: GitHub | Version: 2