Friday, 7 October 2016

Mickeys SVIP - Tip 3 - Monitoring Insider Threat and Potential Credential Misuse with Levenshtein Algorithm

Hi All,

Leading up to .conf I was a little quiet on the blogging front so thought I would come out and do another one now I have a little bit of spare time.  So lets get straight into this.  

What is the problem we are trying to solve?
My favourite question to ask :).  If we are not solving a problem then there is no point in wasting our time.  

So what is the problem? Credential theft and misuse.  The best way to explain is in a scenario.

You have an administrator who has access to 3 accounts.  Lets say his name is Joe Bloggs.  His accounts are

jbloggs - Standard User Account
a_jbloggs - Administrator Account
svc_backup - A backup account that is able to make changes to any server and has super privileges.

So again going back to the problem.  Could Joe Bloggs have used his standard admin account to do the work? Yes he probably could have.  So why does he need to use the svc_backup account? Well who knows, we will let you find that out in your own network.   But knowing, lets you ask that question.  In security its about being able to ask those questions which helps us improve and understand.

How do we solve the problem?
TLDR version down the bottom with the search.
We have two awesome functions at our disposal.  
Event Code 4648 - A logon was attempted using explicit credentials
Levenshtein distance - A way to measure the distance in characters between two strings using substitution,deletion or addition of a string.

Lets go into Event Code 4648 this is straight from the windows event log record
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials.  This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.

Levenshtein Distance
Some details here - https://en.wikipedia.org/wiki/Levenshtein_distance
and here - http://www.levenshtein.net

TLDR version of the above is that if you have 2 strings lets say jbloggs and a_jbloggs there is a 2 character distance between the two (addition of 2 letters).  Between jbloggs and svc_backup is 9.
Why 9 when there are 10 characters well because the b in backup and the b in bloggs line up. Here is a pic to demonstrate.


Now lets look at an example log.



Looking at the above you can see it clearly that they are two different people.  So what do we need to get this in our data sources.  Windows event log and URL Toolbox (link below)

URL Toolbox - https://splunkbase.splunk.com/app/2734/

URL toolbox not only has levenshtein but also has other cool string analysis tools such as entropy and can help you parse URLs.

TLDR Splunk Search
index=wineventlog sourcetype="WinEventLog:Security" EventCode=4648 NOT Account_Name=*$ 
| eval srcAccount=mvindex(Security_ID,0) 
| eval destAccount = mvindex(Account_Domain,1) +"\\" + mvindex(Account_Name,1) 
| `ut_levenshtein(srcAccount,destAccount)` 
| table _time,srcAccount,destAccount,ut_levenshtein

1st Line - Searches for Windows event code 4648 and excludes local system
2nd Line - Gets the first item in the array of Security_ID field and creates a new field srcAccount
3rd Line - Joins the 2nd item in the array of Account_Domain field and the 2nd item in the array of Security_ID and creates a new field called destAccount
4th Line - Calculates the levenshtein distance between  srcAccount and destAccount.
5th Line - Nicely formats.

Filtering out names that are the same / users that are using their own admin account.
The above search will need a where clause depending on how you name your admin accounts.  i.e if you name your admin accounts like 'a_' then create the clause as 'where ut_levenshtein>2' so that a_jbloggs is not picked up.

So looking like this.
index=wineventlog sourcetype="WinEventLog:Security" EventCode=4648 NOT Account_Name=*$ 
| eval srcAccount=mvindex(Security_ID,0) 
| eval destAccount = mvindex(Account_Domain,1) +"\\" + mvindex(Account_Name,1) 
| `ut_levenshtein(srcAccount,destAccount)` 
| where ut_levenshtein>2
| table _time,srcAccount,destAccount,ut_levenshtein

If you want to only compare Account Names and not the whole domain then do the following (this can be helpful when you have multiple Active Directory domains).

index=wineventlog sourcetype="WinEventLog:Security" EventCode=4648 NOT Account_Name=*$ 
| eval srcAccount=mvindex(Account_Name,0) 
| eval destAccount = mvindex(Account_Name,1)  
| `ut_levenshtein(srcAccount,destAccount)` 
| where ut_levenshtein>2
| table _time,srcAccount,destAccount,ut_levenshtein


Pic of this search






Thursday, 29 September 2016

.CONF 2016 - How To Configure Each Source Described in My Presentation

If you are reading this then you have probably heard about my .conf 2016 talk or came and saw me present.  Either way glad to have you here and hope that these posts provide you some detail around how to configure some of the log sources that I described in my talk.  I will be covering each post sequentially as I described in my talk.  Have a security question or want to get your security nerd on!!  Hit me up on twitter and I can share my email and we can have a talk about IT or... beer!! @MickeyPerre

Before we start I will make the caveat statement that each environment is different so updating certain settings may not have an affect depending on the environment. For example, the Default Domain Policy in some environments is not linked to any Organisational units in Active Directory.

The Defense - Suspicious Process
Enabling Command Line Process Auditing.
For this portion of the guide we will be enabling command line auditing through group policy.  The intention is to cover all hosts in the environment so updating the Default Domain Policy is a good start in my environment as that covers all hosts.

First step is to open up group policy management as shown below.

Next Right Click Default Domain Policy and Select Edit

Expand Computer configuration | Expand Administrative Templates | Expand System | Select Audit Process Creation | R-Click Include Command Line in Process Command Creation Events | Select Edit

Change Options to Enable

Close Group Policy and you are done :).

The Defense - AD Reconnaissance
How to detect internal reconnaissance of your environment through Windows Auditing and Event Logs.
This portion of the guide is going to show you how to setup group policy and also how to enable logging for certain items in your environment.  The advantage of what I am going to show you will provide the defender with a log that is triggered when ever certain attributes of either the Guest account, Domain Admin Group or Enterprise Admin group are queried.

Now that I have presented this topic at a conference attackers may change the way they query groups in the domain excluding queries to the Domain Admin group  / Enterprise Admin group.  They may start using Schema Admins or exclude those groups completely.  The aim of this post is to show you the technique and then you can adopt to your own situation.  Ultimately allowing you to create honey users or honey groups!

First steps are to configure group policy to log the new events.  The events will be logged on your Domain Controllers in the Security log so look for them there.

Open up group policy management as shown below.

Next Right Click Default Domain Controller Policy and Select Edit

Expand Computer Configuration | Windows Settings | Security Settings | Advanced Audit Policy Configuration | Audit Policies | DS Access

Edit Both Audit Directory Service Access and Audit Directory Service Changes to Success and Failure

Close Group Policy.

Auditing Access to Groups - Honey Groups!!
What we are trying to achieve here is to create an event that will be logged on the Domain Controllers when anyone queries the members or memberof a particular group, limiting the noise as well.  Alert noise ultimately means alerts that are not monitored and thats not good!

Open up Active Directory Users and Computers

Make sure that under View, Advanced features is ticked.

As I am using Domain Admins for my example I will select the Users OU

Right Click the Domain Admins Group | Select properties | Select Security | Select Advanced

Click the Auditing Tab | Click Add


The instructions below are inclusive meaning do not untick any boxes that I have not mentioned. Click Add
  • Principal - Everyone
  • Type - All
  • Applies to ‘This Object only’
  • Tick the following attributes
    • Modify Owner
    • Modify Permissions
    • Add/Remove self as member
    • Read Members
    • Read memberOf
    • Read memberUID
    • Read nTGroupMembers


Click Apply and Save
If you make a mistake, you can always go in to the auditing tab and click restore defaults to get you out of trouble :).  Repeat this for any Group that you want to monitor.

EventCode 4661 and 4662 will now be logged  to your Domain Controllers.  To make use out of this event look for accounts that are not admins querying the group membership of administrative groups. i.e Joe Bloggs in Marketing has no reason to query the membership of the Domain Admins group.  The following commands have been tested and each log an event in the event log ;)

dsget group "CN=Domain Admins,CN=Users,DC=conf2016,DC=local" -members
get-adgroupmember "Domain Admins"
net group "Domain Admins" /domain

If you are getting excessive 4661 events with SAM_DOMAIN have a look at the following article.
https://support.microsoft.com/en-au/kb/841001

Or alternatively configure the following blacklist in your Splunk inputs.conf under Splunk_TA_windows\local\inputs.conf

blacklist3 = EventCode="4661" Message="SAM_DOMAIN|SAM_ALIAS|SAM_SERVER"

Configure DNS Debug Logging
The following steps show you how to configure DNS logging on your DNS server.  It is important to test this in a non production environment prior to production.  This will need to be configured on each DNS server.

Logon to the DNS server.
Open DNS
Right Click the Server Name and Click Properties

Select Debug Logging Tab | Tick Details | Enter File Path.  Make sure the file path exists and try to keep it on a non system drive.





Friday, 9 September 2016

Mickeys SVIP - Tip 2 - Monitoring Adds/Changes/Deletes against groups in Active Directory.


Hi All,


If you read my previous post in regards to Configuring Audit Logging you will know that I am making a series of blog posts about improving visibility in your network for Security Operations. If you haven't seen it then it is here.  http://mickeysecurity.blogspot.com.au/2016/08/my-recommended-windows-active-directory.html

This is Tip 2 in my series of improving visibility in your network.  This week I want to cover one of the most used feature of Windows AD.  Groups. Groups in AD are used to logically manage users to reduce the requirement to individually add users to SACLs and join users by commonality i.e. "Finance Users" or "Corporate Newsletter".  They are 2 Group Types:
  • Security - Used to apply security controls to files, folders and Active Directory objects.
  • Distribution - A group type that cannot be applied to permissions of files, folders and Active Directory objects.
Why?
As groups are the predominant source of Access Control in your environment it is important to ensure that a user is not added to a group when they don't have approval to do so or do not require that level of permission. 

The Threat?
The biggest threat would be for an external threat to utilise privileged groups to further their compromise into your network, such as placing them self in the Domain Admin or Enterprise Admin group.  These groups have what we call 'god' like permissions inside of AD.  They should be strictly monitored as failing to monitor these groups could lead to big issues down the track. 

A few scenarios that I have seen play out are below.
  1. Accidental insider threat #1 - A user in your network is trying to run a bespoke application that requires a whole lot more access than any normal application, one of your admins has been spending a week trying to resolve the issue and in frustration adds the users account to Domain Admin to 'make the issue' go away.
  2. Accidental insider threat #2 - A developer is deploying their new application to production, again the service will not start so the developer adds the service account to domain admin to make the application run.
  3. Malicious insider threat - An admin in the network (regardless of status) is curious about an upcoming press release but does not have access to the folder that houses the files.  They add them self to a group to provide access.
  4. Malicious External Threat - This is not the easiest to spot, but the easiest to describe.  An account has been compromised and the external threat requires to be added to a privileged group to carry out the tasks they need.

What Events?
The event codes that we are interested in are below (if you don't have any <=2003 hosts then remove that section:

XP-2003 Event Codes
Event Code 631 - Security Enabled Global Group Created
Event Code 632 - Security Enabled Global Group Member Added
Event Code 633 - Security Enabled Global Group Member Removed
Event Code 634 -  Security Enabled Global Group Deleted
Event Code 653 -  Security Disabled Global Group Created
Event Code 654 - Security Disabled Global Group Changed
Event Code 657 - Security Disabled Global Group Deleted
Event Code 655 -  Security Disabled Global Group Member Added
Event Code 656 - Security Disabled Global Group Member Removed
Event Code 658 - Security Enabled Universal Group Created
Event Code 659 - Security Enabled Universal Group Changed
Event Code 660 - Security Enabled Universal Group Member Added
Event Code 661 -  Security Enabled Universal Group Member Removed
Event Code 662 - Security Enabled Universal Group Deleted
Event Code 663 -  Security Disabled Universal Group Created
Event Code 665 - Security Disabled Universal Group Member Added
Event Code 664 - Security Disabled Universal Group Changed
Event Code 666 - Security Disabled Universal Group Member Removed
Event Code 667 -  Security Disabled Universal Group Deleted

2008+ Event Codes
Event Code 4749 - A security-disabled global group was created.
Event Code 4750 - A security-disabled global group was changed
Event Code 4751 - A member was added to a security-disabled global group.
Event Code 4752 - A member was removed from a security-disabled global group.
Event Code 4753 - A security-disabled global group was deleted.
Event Code 4759 - A security-disabled universal group was created.
Event Code 4760 - A security-disabled universal group was changed.
Event Code 4761 - A member was added to a security-disabled universal group.
Event Code 4762 - A member was removed from a security-disabled universal group.
Event Code 4763 - A security-disabled universal group was deleted.
Event Code 4727 - A security-enabled global group was created.
Event Code 4728 - A member was added to a security-enabled global group.
Event Code 4729 - A member was removed from a security-enabled global group.

Event Code 4730 - A security-enabled global group was deleted.
Event Code 4737 - A security-enabled global group was changed.
Event Code 4754 - A security-enabled universal group was created.
Event Code 4755 - A security-enabled universal group was changed.
Event Code 4756 - A member was added to a security-enabled universal group.
Event Code 4757 - A member was removed from a security-enabled universal group.
Event Code 4758 - A security-enabled universal group was deleted.
Event Code 4764 - A groups type was changed.

How Frequent do we want to see these alerts / reports?
Once a day with a period of the last 24hrs.

Additional Notes?
This is going to be a large report that's why I scheduled it for once a day.  Make it part of your morning environment health check.  You may notice that exchange servers add some users to groups.  I believe this is related to the use of the exchange management console adding users to group mailbox accounts or calendar accounts.  You can grab the GroupEventCodes.csv from my googledrive located below.
If you do not have any 2003 servers then you can remove them from the list.

The search?
 index=wineventlog sourcetype=wineventLog:security [| inputlookup GroupEventCodes.csv] NOT (Security_ID="NT AUTHORITY*") | fields _time, EventCode, Security_ID, signature, user_group, dest_nt_domain, action, subject,member,group | eval subject=mvindex(Security_ID,0) |eval member=mvindex(Security_ID,1) | eval group=mvindex(Security_ID,2) | table _time,EventCode,subject, signature, member, group, action, dest_nt_domain | sort _time

Example:

Detailed Steps:
  1. Logon to your Splunk server. I am running off a Windows Server so I am opening up 'http://localhost:8000/en-GB/'
  2. Click Settings Lookups
  3. Click 'Add New' beside Lookup Table files
  4.  Fill in details as per below then click Save. Use the lookup table from my google drive.  (link above)
  5. Now we need to edit the permissions so that all apps can use the lookup table. Click 'Permissions' beside your new lookup table ‘GroupEventCodes.csv’
  6. Set permissions as per below and save.
     
  7. Click 'Lookups' to get to the main Lookup menu.
  8. Now lets add a lookup definition for Splunk to search against. Click ‘Add New’ beside Lookup definitions.
  9.  Type in details as per below
  10. Click the splunk icon in the top left hand corner to go back to your default dashboard.
  11. Click Search and Reporting
  12. Copy in the search as detailed in ‘The search?”, select last 24hrs.  Once the search has completed click 'Save As'.
  13. Click 'Report'
  14. Enter Title - 'Group Activity - Last 24 Hours'
  15. Enter Description - 'This report is generated daily to notify the Administrators of the environment of any changes, adds or deletions to groups in the last 24 hours.'
  16. Time Range Picker - 'Yes'
  17. Click Save.
  18. Click 'Schedule'
     
  19. Tick 'Schedule Report' and fill out as below.
  20. Click next.
  21. Tick Send email, fill out the to address (SMTP will need to be configured for email to successfully send), then tick 'inline Table'
  22. Click Save