Unpacking the layers of a cyberattack is rarely a simple task. You need to analyze many potential entry points, attack paths, and data exfiltration tactics to reveal the scope of what took place—all while the culprits are potentially taking steps to cover their tracks.
At some point, the investigation is likely to land at the doorstep of Microsoft Active Directory (AD). When it does, incident response teams will need the right tools and scripts to aid in their investigation. Manually examining the mountains of log-in data and other information is impractical; data must be processed and analyzed quickly. As AD admins and security teams think about incident response, let’s examine what actions organizations can take and what type of tools and capabilities they can use to put them ahead of the game.
The typical attack has multiple elements to it: network components, file-based components, and, of course, Active Directory. The technology stack that needs examination is huge. The attack might start with a software vulnerability as an entry point, then involve dropping malware. The attacker might then use stolen user credentials to move laterally throughout the network, finally launching a DCShadow attack that uses replication permissions to imitate a domain controller and make changes to Active Directory.
When it comes to AD, investigators are dealing with a 20-year-old piece of technology that can be somewhat messy, as it contains thousands of users and tens of thousands of groups. Some of those groups will be nested within other groups and have excessive inherited permissions; some will include old, unused accounts that should have been deleted. Having an accurate map of AD and understanding the relationships between the users and groups is critical.
While it is also used by attackers, BloodHound is a highly useful tool for security defenders and investigators as well. It allows admins to visualize users and groups and identify the attack paths that threat actors can exploit by pinpointing accounts with excessive permissions. This information can serve as breadcrumbs to help create a comprehensive view of the entire attack kill chain.
To a similar effect, the Purple Knight tool from Semperis allows administrators to enumerate different exposures in AD. Using a combination of the information about the initial access to AD and what exposures exist, security defenders can make determinations about where the attackers might have gone next. The reason that defenders can glean these insights is because attackers are using the same type of scripts and queries used by Purple Knight.
For investigators, the tools they need fall into two categories. The first is scripts that are generalized queries to AD, such as a request for users with privileged access. The second category is scripts used to cross-correlate—for example, requesting users that are part of a group and logged in at a particular time. The filters for queries will change as the investigation evolves. However, what will not change is the need to have this initial mapping capability and knowledge of the exposures that exist in the AD environment. By understanding the links between users and groups, security teams and incident responders will be better able to react to attacks.
Beware the limitations of AD’s audit functionality
One of the challenges organizations face is that, in many instances, the audit functionality of Active Directory is not fully enabled. Although the native capabilities of Active Directory are effective, they also are not as robust as third-party tools. Context about events might be limited.
Did the user’s rights suddenly change in Active Directory? Was a new group created? Without effective auditing and monitoring, answering these questions during an investigation can become cumbersome. Sometimes, incident responders might need to look at backups of AD to figure out what has changed from previous states.
This type of information is invaluable to incident responders and investigators, and IT leaders should ensure their log retention strategy aligns with their regulatory compliance and security needs. There are several endpoint and AD audit logs that should be targeted for analysis to catch suspicious activity. Unfortunately, even if logging functionality is enabled, attackers might be able to destroy the logs after compromising the network. For this reason, it is important to have the capability to detect changes in AD, regardless of what attackers do to cover their tracks.
At Semperis, we accomplish this by monitoring the AD replication stream. Rather than depending solely on an agent running on a domain controller, this approach allows organizations to detect events that auditing tools miss, either because of the actions of a threat actor or something as simple as an agent’s incompatibility with a new security update for the domain controller.
The ability to monitor and audit AD can not only proactively detect attacks on AD, but also identify what happened in a breach’s aftermath, making the tools’ reporting capabilities and automation crucial. Armed with the ability to map attack paths and to track users, groups, and permissions, forensic investigations can move more quickly to uncover the scope of an attack.