for i in {1..10}; do ping -W1 -c 1 -n 192.168.1.$i | tr '\n' ' ' | grep '1 packets received' | cut -d ' ' -f 2 ; done
Sunday, 16 June 2019
Tuesday, 14 March 2017
ACSC Log Source Configuration
Hi ACSC Folk,
Thanks for passing by and looking at my presentation. Below are some areas that I covered in my talk. Hope you enjoy implementing them :). There is some duplicate content from .conf2016 as I wanted to allow my visitors to not have to dig through my blog to get the information they need. If you want me to come in and help you deploy any of these in your environment I will be more than happy to, hit me up on twitter or linked.in.
The Defense - Admin Remote Code Execution Flaw Page
To make this easy I have packaged this up in a zip file. Link below
https://drive.google.com/open?id=0B1rXi_hylyatd0xnb3F4TkFycWM
Here is the splunk search with access_combined.
source="access.log.2" host="splunk" index="main" sourcetype="access_combined" uri_path= /admin_ce_results.html referer="*/admin_ce_healthcheck.html" | stats count by host | table count
The Defense - Spam Trap
For this exercise you will need to setup a valid email account, you should be able to ask your mail administrator to do this for you. The code snippet below will get you on the results list of theharvester only if the address is on your main page associated with your root domain. i.e if your mail domain is blahblah.gov.au make sure that you put the code snippet on https://blahblah.gov.au (hopefully your running https!!!!) website. Other domains even though may be registered to you may not show up. I personally haven't tested the snippet below as a hidden comment so if you do successfully let me know and I will update my blog post :).
Code Snippet
<a href="mailto:dev_webteam@yourorganisation.com.au">Developer contact : dev_webteam@yourorganisation.com.au</a>
Splunk Search
So below I am using our Splunk stream SMTP capture device to pull emails off the wire. The first part of the search can be changed to suit your environment/index but this lets you get an understanding of what you need to do at a high level.
Build list of people sending to your spam catch email, Deduplicate the results, finally output to a csv file and append it.
index=mail sourcetype="stream:smtp" receiver_email="dev_webteam@yourorganisation.com.au" | dedup sender_email | table sender_email | outputlookup append=true spamcatch.csv
Now you can email this csv once a week to your mail administrators by using the following search
|inputlookup spamcatch.csv | dedup sender_email
In addition, you can create this as a search to see who has been sent an email from this address by doing the following. You may find some security incidents this way.
index=mail sourcetype="stream:smtp" receiver_email!="dev_webteam@yourorganisation.com.au" [|inputlookup spamcatch.csv | dedup sender_email] | table sender_email, receiver_email, subject,content_body
The Defense - AD Reconnaissance
How to detect internal reconnaissance of your environment through Windows Auditing and Event Logs.
This portion of the guide is going to show you how to setup group policy and also how to enable logging for certain items in your environment. The advantage of what I am going to show you will provide the defender with a log that is triggered when ever certain attributes of either the Guest account, Domain Admin Group or Enterprise Admin group are queried.
Now that I have presented this topic at a conference attackers may change the way they query groups in the domain excluding queries to the Domain Admin group / Enterprise Admin group. They may start using Schema Admins or exclude those groups completely. The aim of this post is to show you the technique and then you can adopt to your own situation. Ultimately allowing you to create honey users or honey groups!
First steps are to configure group policy to log the new events. The events will be logged on your Domain Controllers in the Security log so look for them there.
Open up group policy management as shown below.
Next Right Click Default Domain Controller Policy and Select Edit
Expand Computer Configuration | Windows Settings | Security Settings | Advanced Audit Policy Configuration | Audit Policies | DS Access
Edit Both Audit Directory Service Access and Audit Directory Service Changes to Success and Failure
Close Group Policy.
Auditing Access to Groups - Honey Groups!!
What we are trying to achieve here is to create an event that will be logged on the Domain Controllers when anyone queries the members or memberof a particular group, limiting the noise as well. Alert noise ultimately means alerts that are not monitored and thats not good!
Open up Active Directory Users and Computers
Make sure that under View, Advanced features is ticked.
As I am using Domain Admins for my example I will select the Users OU
Right Click the Domain Admins Group | Select properties | Select Security | Select Advanced
Click the Auditing Tab | Click Add
The instructions below are inclusive meaning do not untick any boxes that I have not mentioned. Click Add
Click Apply and Save
If you make a mistake, you can always go in to the auditing tab and click restore defaults to get you out of trouble :). Repeat this for any Group that you want to monitor.
EventCode 4661 and 4662 will now be logged to your Domain Controllers. To make use out of this event look for accounts that are not admins querying the group membership of administrative groups. i.e Joe Bloggs in Marketing has no reason to query the membership of the Domain Admins group. The following commands have been tested and each log an event in the event log ;)
dsget group "CN=Domain Admins,CN=Users,DC=conf2016,DC=local" -members
get-adgroupmember "Domain Admins"
net group "Domain Admins" /domain
If you are getting excessive 4661 events with SAM_DOMAIN have a look at the following article.
https://support.microsoft.com/en-au/kb/841001
Or alternatively configure the following blacklist in your Splunk inputs.conf under Splunk_TA_windows\local\inputs.conf
blacklist3 = EventCode="4661" Message="SAM_DOMAIN|SAM_ALIAS|SAM_SERVER"
Auditing Queries to Users - Honey Users!!
What we are trying to achieve here is to create an event that will be logged on the Domain Controllers when anyone queries the memberof a particular user. Warning depending on the location of the user this can be noisy.
Open up Active Directory Users and Computers
Make sure that under View, Advanced features is ticked.
As I am using svc_domain_restore for my example and this user is in the the Users OU
Right Click the user you want to modify, in my example it is svc_domain_restore | Select properties | Select Security | Select Advanced
Applies to 'everyone'
The instructions below are inclusive meaning do not untick any boxes that I have not mentioned. Click Add
Thanks for passing by and looking at my presentation. Below are some areas that I covered in my talk. Hope you enjoy implementing them :). There is some duplicate content from .conf2016 as I wanted to allow my visitors to not have to dig through my blog to get the information they need. If you want me to come in and help you deploy any of these in your environment I will be more than happy to, hit me up on twitter or linked.in.
The Defense - Admin Remote Code Execution Flaw Page
To make this easy I have packaged this up in a zip file. Link below
https://drive.google.com/open?id=0B1rXi_hylyatd0xnb3F4TkFycWM
Here is the splunk search with access_combined.
source="access.log.2" host="splunk" index="main" sourcetype="access_combined" uri_path= /admin_ce_results.html referer="*/admin_ce_healthcheck.html" | stats count by host | table count
The Defense - Spam Trap
For this exercise you will need to setup a valid email account, you should be able to ask your mail administrator to do this for you. The code snippet below will get you on the results list of theharvester only if the address is on your main page associated with your root domain. i.e if your mail domain is blahblah.gov.au make sure that you put the code snippet on https://blahblah.gov.au (hopefully your running https!!!!) website. Other domains even though may be registered to you may not show up. I personally haven't tested the snippet below as a hidden comment so if you do successfully let me know and I will update my blog post :).
Code Snippet
<a href="mailto:dev_webteam@yourorganisation.com.au">Developer contact : dev_webteam@yourorganisation.com.au</a>
Splunk Search
So below I am using our Splunk stream SMTP capture device to pull emails off the wire. The first part of the search can be changed to suit your environment/index but this lets you get an understanding of what you need to do at a high level.
Build list of people sending to your spam catch email, Deduplicate the results, finally output to a csv file and append it.
index=mail sourcetype="stream:smtp" receiver_email="dev_webteam@yourorganisation.com.au" | dedup sender_email | table sender_email | outputlookup append=true spamcatch.csv
Now you can email this csv once a week to your mail administrators by using the following search
|inputlookup spamcatch.csv | dedup sender_email
In addition, you can create this as a search to see who has been sent an email from this address by doing the following. You may find some security incidents this way.
index=mail sourcetype="stream:smtp" receiver_email!="dev_webteam@yourorganisation.com.au" [|inputlookup spamcatch.csv | dedup sender_email] | table sender_email, receiver_email, subject,content_body
The Defense - AD Reconnaissance
How to detect internal reconnaissance of your environment through Windows Auditing and Event Logs.
This portion of the guide is going to show you how to setup group policy and also how to enable logging for certain items in your environment. The advantage of what I am going to show you will provide the defender with a log that is triggered when ever certain attributes of either the Guest account, Domain Admin Group or Enterprise Admin group are queried.
Now that I have presented this topic at a conference attackers may change the way they query groups in the domain excluding queries to the Domain Admin group / Enterprise Admin group. They may start using Schema Admins or exclude those groups completely. The aim of this post is to show you the technique and then you can adopt to your own situation. Ultimately allowing you to create honey users or honey groups!
First steps are to configure group policy to log the new events. The events will be logged on your Domain Controllers in the Security log so look for them there.
Open up group policy management as shown below.
Next Right Click Default Domain Controller Policy and Select Edit
Expand Computer Configuration | Windows Settings | Security Settings | Advanced Audit Policy Configuration | Audit Policies | DS Access
Edit Both Audit Directory Service Access and Audit Directory Service Changes to Success and Failure
Close Group Policy.
Auditing Access to Groups - Honey Groups!!
What we are trying to achieve here is to create an event that will be logged on the Domain Controllers when anyone queries the members or memberof a particular group, limiting the noise as well. Alert noise ultimately means alerts that are not monitored and thats not good!
Open up Active Directory Users and Computers
Make sure that under View, Advanced features is ticked.
As I am using Domain Admins for my example I will select the Users OU
Right Click the Domain Admins Group | Select properties | Select Security | Select Advanced
Click the Auditing Tab | Click Add
The instructions below are inclusive meaning do not untick any boxes that I have not mentioned. Click Add
- Principal - Everyone
- Type - All
- Applies to ‘This Object only’
- Tick the following attributes
- Modify Owner
- Modify Permissions
- Add/Remove self as member
- Read Members
- Read memberOf
- Read memberUID
- Read nTGroupMembers
Click Apply and Save
If you make a mistake, you can always go in to the auditing tab and click restore defaults to get you out of trouble :). Repeat this for any Group that you want to monitor.
EventCode 4661 and 4662 will now be logged to your Domain Controllers. To make use out of this event look for accounts that are not admins querying the group membership of administrative groups. i.e Joe Bloggs in Marketing has no reason to query the membership of the Domain Admins group. The following commands have been tested and each log an event in the event log ;)
dsget group "CN=Domain Admins,CN=Users,DC=conf2016,DC=local" -members
get-adgroupmember "Domain Admins"
net group "Domain Admins" /domain
If you are getting excessive 4661 events with SAM_DOMAIN have a look at the following article.
https://support.microsoft.com/en-au/kb/841001
Or alternatively configure the following blacklist in your Splunk inputs.conf under Splunk_TA_windows\local\inputs.conf
blacklist3 = EventCode="4661" Message="SAM_DOMAIN|SAM_ALIAS|SAM_SERVER"
Auditing Queries to Users - Honey Users!!
What we are trying to achieve here is to create an event that will be logged on the Domain Controllers when anyone queries the memberof a particular user. Warning depending on the location of the user this can be noisy.
Open up Active Directory Users and Computers
Make sure that under View, Advanced features is ticked.
As I am using svc_domain_restore for my example and this user is in the the Users OU
Right Click the user you want to modify, in my example it is svc_domain_restore | Select properties | Select Security | Select Advanced
Applies to 'everyone'
The instructions below are inclusive meaning do not untick any boxes that I have not mentioned. Click Add
- Principal - Everyone
- Type - All
- Applies to ‘This Object only’
- Tick the following attributes
- Read profilePath
- Write profilePath
- Read desktopProfile
- Write desktopProile
- Read Member Of
Friday, 7 October 2016
Mickeys SVIP - Tip 3 - Monitoring Insider Threat and Potential Credential Misuse with Levenshtein Algorithm
Hi All,
Pic of this search
Leading up to .conf I was a little quiet on the blogging front so thought I would come out and do another one now I have a little bit of spare time. So lets get straight into this.
What is the problem we are trying to solve?
My favourite question to ask :). If we are not solving a problem then there is no point in wasting our time.
So what is the problem? Credential theft and misuse. The best way to explain is in a scenario.
You have an administrator who has access to 3 accounts. Lets say his name is Joe Bloggs. His accounts are
jbloggs - Standard User Account
a_jbloggs - Administrator Account
svc_backup - A backup account that is able to make changes to any server and has super privileges.
So again going back to the problem. Could Joe Bloggs have used his standard admin account to do the work? Yes he probably could have. So why does he need to use the svc_backup account? Well who knows, we will let you find that out in your own network. But knowing, lets you ask that question. In security its about being able to ask those questions which helps us improve and understand.
How do we solve the problem?
TLDR version down the bottom with the search.
We have two awesome functions at our disposal.
Event Code 4648 - A logon was attempted using explicit credentials
Levenshtein distance - A way to measure the distance in characters between two strings using substitution,deletion or addition of a string.
Lets go into Event Code 4648 this is straight from the windows event log record
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
Levenshtein Distance
Some details here - https://en.wikipedia.org/wiki/Levenshtein_distance
and here - http://www.levenshtein.net
TLDR version of the above is that if you have 2 strings lets say jbloggs and a_jbloggs there is a 2 character distance between the two (addition of 2 letters). Between jbloggs and svc_backup is 9.
Why 9 when there are 10 characters well because the b in backup and the b in bloggs line up. Here is a pic to demonstrate.
Now lets look at an example log.
Looking at the above you can see it clearly that they are two different people. So what do we need to get this in our data sources. Windows event log and URL Toolbox (link below)
URL Toolbox - https://splunkbase.splunk.com/app/2734/
URL toolbox not only has levenshtein but also has other cool string analysis tools such as entropy and can help you parse URLs.
TLDR Splunk Search
index=wineventlog sourcetype="WinEventLog:Security" EventCode=4648 NOT Account_Name=*$
| eval srcAccount=mvindex(Security_ID,0)
| eval destAccount = mvindex(Account_Domain,1) +"\\" + mvindex(Account_Name,1)
| `ut_levenshtein(srcAccount,destAccount)`
| table _time,srcAccount,destAccount,ut_levenshtein
1st Line - Searches for Windows event code 4648 and excludes local system
2nd Line - Gets the first item in the array of Security_ID field and creates a new field srcAccount
3rd Line - Joins the 2nd item in the array of Account_Domain field and the 2nd item in the array of Security_ID and creates a new field called destAccount
4th Line - Calculates the levenshtein distance between srcAccount and destAccount.
5th Line - Nicely formats.
Filtering out names that are the same / users that are using their own admin account.
The above search will need a where clause depending on how you name your admin accounts. i.e if you name your admin accounts like 'a_' then create the clause as 'where ut_levenshtein>2' so that a_jbloggs is not picked up.
So looking like this.
index=wineventlog sourcetype="WinEventLog:Security" EventCode=4648 NOT Account_Name=*$
| eval srcAccount=mvindex(Security_ID,0)
| eval destAccount = mvindex(Account_Domain,1) +"\\" + mvindex(Account_Name,1)
| `ut_levenshtein(srcAccount,destAccount)`
| where ut_levenshtein>2
| table _time,srcAccount,destAccount,ut_levenshtein
If you want to only compare Account Names and not the whole domain then do the following (this can be helpful when you have multiple Active Directory domains).
index=wineventlog sourcetype="WinEventLog:Security" EventCode=4648 NOT Account_Name=*$
| eval srcAccount=mvindex(Account_Name,0)
| eval destAccount = mvindex(Account_Name,1)
| `ut_levenshtein(srcAccount,destAccount)`
| where ut_levenshtein>2
| table _time,srcAccount,destAccount,ut_levenshtein
Pic of this search
Thursday, 29 September 2016
.CONF 2016 - How To Configure Each Source Described in My Presentation
If you are reading this then you have probably heard about my .conf 2016 talk or came and saw me present. Either way glad to have you here and hope that these posts provide you some detail around how to configure some of the log sources that I described in my talk. I will be covering each post sequentially as I described in my talk. Have a security question or want to get your security nerd on!! Hit me up on twitter and I can share my email and we can have a talk about IT or... beer!! @MickeyPerre
Before we start I will make the caveat statement that each environment is different so updating certain settings may not have an affect depending on the environment. For example, the Default Domain Policy in some environments is not linked to any Organisational units in Active Directory.
The Defense - Suspicious Process
Enabling Command Line Process Auditing.
For this portion of the guide we will be enabling command line auditing through group policy. The intention is to cover all hosts in the environment so updating the Default Domain Policy is a good start in my environment as that covers all hosts.
First step is to open up group policy management as shown below.
Next Right Click Default Domain Policy and Select Edit
Expand Computer configuration | Expand Administrative Templates | Expand System | Select Audit Process Creation | R-Click Include Command Line in Process Command Creation Events | Select Edit
Change Options to Enable
Close Group Policy and you are done :).
The Defense - AD Reconnaissance
How to detect internal reconnaissance of your environment through Windows Auditing and Event Logs.
This portion of the guide is going to show you how to setup group policy and also how to enable logging for certain items in your environment. The advantage of what I am going to show you will provide the defender with a log that is triggered when ever certain attributes of either the Guest account, Domain Admin Group or Enterprise Admin group are queried.
Now that I have presented this topic at a conference attackers may change the way they query groups in the domain excluding queries to the Domain Admin group / Enterprise Admin group. They may start using Schema Admins or exclude those groups completely. The aim of this post is to show you the technique and then you can adopt to your own situation. Ultimately allowing you to create honey users or honey groups!
First steps are to configure group policy to log the new events. The events will be logged on your Domain Controllers in the Security log so look for them there.
Open up group policy management as shown below.
Next Right Click Default Domain Controller Policy and Select Edit
Expand Computer Configuration | Windows Settings | Security Settings | Advanced Audit Policy Configuration | Audit Policies | DS Access
Edit Both Audit Directory Service Access and Audit Directory Service Changes to Success and Failure
Close Group Policy.
Auditing Access to Groups - Honey Groups!!
What we are trying to achieve here is to create an event that will be logged on the Domain Controllers when anyone queries the members or memberof a particular group, limiting the noise as well. Alert noise ultimately means alerts that are not monitored and thats not good!
Open up Active Directory Users and Computers
Make sure that under View, Advanced features is ticked.
As I am using Domain Admins for my example I will select the Users OU
Right Click the Domain Admins Group | Select properties | Select Security | Select Advanced
Click the Auditing Tab | Click Add
The instructions below are inclusive meaning do not untick any boxes that I have not mentioned. Click Add
Click Apply and Save
If you make a mistake, you can always go in to the auditing tab and click restore defaults to get you out of trouble :). Repeat this for any Group that you want to monitor.
EventCode 4661 and 4662 will now be logged to your Domain Controllers. To make use out of this event look for accounts that are not admins querying the group membership of administrative groups. i.e Joe Bloggs in Marketing has no reason to query the membership of the Domain Admins group. The following commands have been tested and each log an event in the event log ;)
dsget group "CN=Domain Admins,CN=Users,DC=conf2016,DC=local" -members
get-adgroupmember "Domain Admins"
net group "Domain Admins" /domain
If you are getting excessive 4661 events with SAM_DOMAIN have a look at the following article.
https://support.microsoft.com/en-au/kb/841001
Or alternatively configure the following blacklist in your Splunk inputs.conf under Splunk_TA_windows\local\inputs.conf
blacklist3 = EventCode="4661" Message="SAM_DOMAIN|SAM_ALIAS|SAM_SERVER"
Configure DNS Debug Logging
The following steps show you how to configure DNS logging on your DNS server. It is important to test this in a non production environment prior to production. This will need to be configured on each DNS server.
Logon to the DNS server.
Open DNS
Right Click the Server Name and Click Properties
Select Debug Logging Tab | Tick Details | Enter File Path. Make sure the file path exists and try to keep it on a non system drive.
Before we start I will make the caveat statement that each environment is different so updating certain settings may not have an affect depending on the environment. For example, the Default Domain Policy in some environments is not linked to any Organisational units in Active Directory.
The Defense - Suspicious Process
Enabling Command Line Process Auditing.
For this portion of the guide we will be enabling command line auditing through group policy. The intention is to cover all hosts in the environment so updating the Default Domain Policy is a good start in my environment as that covers all hosts.
First step is to open up group policy management as shown below.
Next Right Click Default Domain Policy and Select Edit
Expand Computer configuration | Expand Administrative Templates | Expand System | Select Audit Process Creation | R-Click Include Command Line in Process Command Creation Events | Select Edit
Close Group Policy and you are done :).
The Defense - AD Reconnaissance
How to detect internal reconnaissance of your environment through Windows Auditing and Event Logs.
This portion of the guide is going to show you how to setup group policy and also how to enable logging for certain items in your environment. The advantage of what I am going to show you will provide the defender with a log that is triggered when ever certain attributes of either the Guest account, Domain Admin Group or Enterprise Admin group are queried.
Now that I have presented this topic at a conference attackers may change the way they query groups in the domain excluding queries to the Domain Admin group / Enterprise Admin group. They may start using Schema Admins or exclude those groups completely. The aim of this post is to show you the technique and then you can adopt to your own situation. Ultimately allowing you to create honey users or honey groups!
First steps are to configure group policy to log the new events. The events will be logged on your Domain Controllers in the Security log so look for them there.
Open up group policy management as shown below.
Next Right Click Default Domain Controller Policy and Select Edit
Expand Computer Configuration | Windows Settings | Security Settings | Advanced Audit Policy Configuration | Audit Policies | DS Access
Edit Both Audit Directory Service Access and Audit Directory Service Changes to Success and Failure
Close Group Policy.
Auditing Access to Groups - Honey Groups!!
What we are trying to achieve here is to create an event that will be logged on the Domain Controllers when anyone queries the members or memberof a particular group, limiting the noise as well. Alert noise ultimately means alerts that are not monitored and thats not good!
Open up Active Directory Users and Computers
Make sure that under View, Advanced features is ticked.
As I am using Domain Admins for my example I will select the Users OU
Right Click the Domain Admins Group | Select properties | Select Security | Select Advanced
Click the Auditing Tab | Click Add
The instructions below are inclusive meaning do not untick any boxes that I have not mentioned. Click Add
- Principal - Everyone
- Type - All
- Applies to ‘This Object only’
- Tick the following attributes
- Modify Owner
- Modify Permissions
- Add/Remove self as member
- Read Members
- Read memberOf
- Read memberUID
- Read nTGroupMembers
Click Apply and Save
If you make a mistake, you can always go in to the auditing tab and click restore defaults to get you out of trouble :). Repeat this for any Group that you want to monitor.
EventCode 4661 and 4662 will now be logged to your Domain Controllers. To make use out of this event look for accounts that are not admins querying the group membership of administrative groups. i.e Joe Bloggs in Marketing has no reason to query the membership of the Domain Admins group. The following commands have been tested and each log an event in the event log ;)
dsget group "CN=Domain Admins,CN=Users,DC=conf2016,DC=local" -members
get-adgroupmember "Domain Admins"
net group "Domain Admins" /domain
If you are getting excessive 4661 events with SAM_DOMAIN have a look at the following article.
https://support.microsoft.com/en-au/kb/841001
Or alternatively configure the following blacklist in your Splunk inputs.conf under Splunk_TA_windows\local\inputs.conf
blacklist3 = EventCode="4661" Message="SAM_DOMAIN|SAM_ALIAS|SAM_SERVER"
The following steps show you how to configure DNS logging on your DNS server. It is important to test this in a non production environment prior to production. This will need to be configured on each DNS server.
Logon to the DNS server.
Open DNS
Right Click the Server Name and Click Properties
Select Debug Logging Tab | Tick Details | Enter File Path. Make sure the file path exists and try to keep it on a non system drive.
Friday, 9 September 2016
Mickeys SVIP - Tip 2 - Monitoring Adds/Changes/Deletes against groups in Active Directory.
Hi All,
If you read my previous post in regards to Configuring Audit Logging you will know that I am making a series of blog posts about improving visibility in your network for Security Operations. If you haven't seen it then it is here. http://mickeysecurity.blogspot.com.au/2016/08/my-recommended-windows-active-directory.html
This is Tip 2 in my series of improving visibility in your network. This week I want to cover one of the most used feature of Windows AD. Groups. Groups in AD are used to logically manage users to reduce the requirement to individually add users to SACLs and join users by commonality i.e. "Finance Users" or "Corporate Newsletter". They are 2 Group Types:
- Security - Used to apply security controls to files, folders and Active Directory objects.
- Distribution - A group type that cannot be applied to permissions of files, folders and Active Directory objects.
Why?
As groups
are the predominant source of Access Control in your environment it is
important to ensure that a user is not added to a group when they don't have
approval to do so or do not require that level of permission.
The Threat?
The
biggest threat would be for an external threat to utilise privileged groups to
further their compromise into your network, such as placing them self in the
Domain Admin or Enterprise Admin group. These groups have what we call
'god' like permissions inside of AD. They should be strictly monitored as
failing to monitor these groups could lead to big issues down the track.
A few scenarios that I have seen play out are below.
- Accidental insider threat #1 - A user in your network is trying to run a bespoke application that requires a whole lot more access than any normal application, one of your admins has been spending a week trying to resolve the issue and in frustration adds the users account to Domain Admin to 'make the issue' go away.
- Accidental insider threat #2 - A developer is deploying their new application to production, again the service will not start so the developer adds the service account to domain admin to make the application run.
- Malicious insider threat - An admin in the network (regardless of status) is curious about an upcoming press release but does not have access to the folder that houses the files. They add them self to a group to provide access.
- Malicious External Threat - This is not the easiest to spot, but the easiest to describe. An account has been compromised and the external threat requires to be added to a privileged group to carry out the tasks they need.
What Events?
The event
codes that we are interested in are below (if you don't have any <=2003
hosts then remove that section:
XP-2003
Event Codes
Event
Code 631 - Security Enabled Global Group Created
Event
Code 632 - Security Enabled Global Group Member Added
Event
Code 633 - Security Enabled Global Group Member Removed
Event
Code 634 - Security Enabled Global Group Deleted
Event
Code 653 - Security Disabled Global Group Created
Event
Code 654 - Security Disabled Global Group Changed
Event
Code 657 - Security Disabled Global Group Deleted
Event
Code 655 - Security Disabled Global Group Member Added
Event
Code 656 - Security Disabled Global Group Member Removed
Event
Code 658 - Security Enabled Universal Group Created
Event
Code 659 - Security Enabled Universal Group Changed
Event
Code 660 - Security Enabled Universal Group Member Added
Event
Code 661 - Security Enabled Universal Group Member Removed
Event
Code 662 - Security Enabled Universal Group Deleted
Event
Code 663 - Security Disabled Universal Group Created
Event
Code 665 - Security Disabled Universal Group Member Added
Event
Code 664 - Security Disabled Universal Group Changed
Event
Code 666 - Security Disabled Universal Group Member Removed
Event
Code 667 - Security Disabled Universal Group Deleted
2008+
Event Codes
Event
Code 4749 - A security-disabled global group was created.
Event
Code 4750 - A security-disabled global group was changed
Event
Code 4751 - A member was added to a security-disabled global group.
Event
Code 4752 - A member was removed from a security-disabled global group.
Event
Code 4753 - A security-disabled global group was deleted.
Event
Code 4759 - A security-disabled universal group was created.
Event
Code 4760 - A security-disabled universal group was changed.
Event
Code 4761 - A member was added to a security-disabled universal group.
Event
Code 4762 - A member was removed from a security-disabled universal group.
Event
Code 4763 - A security-disabled universal group was deleted.
Event
Code 4727 - A security-enabled global group was created.
Event
Code 4728 - A member was added to a security-enabled global group.
Event
Code 4729 - A member was removed from a security-enabled global group.
Event
Code 4737 - A security-enabled global group was changed.
Event
Code 4754 - A security-enabled universal group was created.
Event
Code 4755 - A security-enabled universal group was changed.
Event
Code 4756 - A member was added to a security-enabled universal group.
Event
Code 4757 - A member was removed from a security-enabled universal group.
Event
Code 4758 - A security-enabled universal group was deleted.
Event Code
4764 - A groups type was changed.
How Frequent do we want to see these alerts / reports?
Once a
day with a period of the last 24hrs.
Additional Notes?
This is
going to be a large report that's why I scheduled it for once a day. Make
it part of your morning environment health check. You may notice that
exchange servers add some users to groups. I believe this is related to
the use of the exchange management console adding users to group mailbox
accounts or calendar accounts. You can grab the GroupEventCodes.csv from
my googledrive located below.
If you do
not have any 2003 servers then you can remove them from the list.
The search?
index=wineventlog
sourcetype=wineventLog:security [| inputlookup GroupEventCodes.csv] NOT
(Security_ID="NT AUTHORITY*") | fields _time, EventCode, Security_ID,
signature, user_group, dest_nt_domain, action, subject,member,group | eval
subject=mvindex(Security_ID,0) |eval member=mvindex(Security_ID,1) | eval
group=mvindex(Security_ID,2) | table _time,EventCode,subject, signature,
member, group, action, dest_nt_domain | sort _time
Example:
Detailed
Steps:
- Logon to your Splunk server.
I am running off a Windows Server so I am opening up
'http://localhost:8000/en-GB/'
- Click Settings Lookups
- Click 'Add New' beside
Lookup Table files
- Fill in details as per
below then click Save. Use the lookup table from my google drive. (link above)
- Now we need to edit the permissions so that all apps can use the lookup table. Click 'Permissions' beside your new lookup table ‘GroupEventCodes.csv’
- Set permissions as per below
and save.
- Click 'Lookups' to get to
the main Lookup menu.
- Now lets add a lookup definition for Splunk to search against. Click ‘Add New’ beside Lookup definitions.
- Type in details as per
below
- Click the splunk icon in the top left hand corner to go back to your default dashboard.
- Click Search and Reporting
- Copy in the search as
detailed in ‘The search?”, select last 24hrs. Once the search has
completed click 'Save As'.
- Click 'Report'
- Enter Title - 'Group Activity - Last 24 Hours'
- Enter Description - 'This report is generated daily to notify the Administrators of the environment of any changes, adds or deletions to groups in the last 24 hours.'
- Time Range Picker - 'Yes'
- Click Save.
- Click 'Schedule'
- Tick 'Schedule Report' and
fill out as below.
- Click next.
- Tick Send email, fill out
the to address (SMTP will need to be configured for email to successfully
send), then tick 'inline Table'
- Click Save
Subscribe to:
Posts (Atom)