Before we start I will make the caveat statement that each environment is different so updating certain settings may not have an affect depending on the environment. For example, the Default Domain Policy in some environments is not linked to any Organisational units in Active Directory.
The Defense - Suspicious Process
Enabling Command Line Process Auditing.
For this portion of the guide we will be enabling command line auditing through group policy. The intention is to cover all hosts in the environment so updating the Default Domain Policy is a good start in my environment as that covers all hosts.
First step is to open up group policy management as shown below.
Next Right Click Default Domain Policy and Select Edit
Expand Computer configuration | Expand Administrative Templates | Expand System | Select Audit Process Creation | R-Click Include Command Line in Process Command Creation Events | Select Edit
Close Group Policy and you are done :).
The Defense - AD Reconnaissance
How to detect internal reconnaissance of your environment through Windows Auditing and Event Logs.
This portion of the guide is going to show you how to setup group policy and also how to enable logging for certain items in your environment. The advantage of what I am going to show you will provide the defender with a log that is triggered when ever certain attributes of either the Guest account, Domain Admin Group or Enterprise Admin group are queried.
Now that I have presented this topic at a conference attackers may change the way they query groups in the domain excluding queries to the Domain Admin group / Enterprise Admin group. They may start using Schema Admins or exclude those groups completely. The aim of this post is to show you the technique and then you can adopt to your own situation. Ultimately allowing you to create honey users or honey groups!
First steps are to configure group policy to log the new events. The events will be logged on your Domain Controllers in the Security log so look for them there.
Open up group policy management as shown below.
Next Right Click Default Domain Controller Policy and Select Edit
Expand Computer Configuration | Windows Settings | Security Settings | Advanced Audit Policy Configuration | Audit Policies | DS Access
Edit Both Audit Directory Service Access and Audit Directory Service Changes to Success and Failure
Close Group Policy.
Auditing Access to Groups - Honey Groups!!
What we are trying to achieve here is to create an event that will be logged on the Domain Controllers when anyone queries the members or memberof a particular group, limiting the noise as well. Alert noise ultimately means alerts that are not monitored and thats not good!
Open up Active Directory Users and Computers
Make sure that under View, Advanced features is ticked.
As I am using Domain Admins for my example I will select the Users OU
Right Click the Domain Admins Group | Select properties | Select Security | Select Advanced
Click the Auditing Tab | Click Add
The instructions below are inclusive meaning do not untick any boxes that I have not mentioned. Click Add
- Principal - Everyone
- Type - All
- Applies to ‘This Object only’
- Tick the following attributes
- Modify Owner
- Modify Permissions
- Add/Remove self as member
- Read Members
- Read memberOf
- Read memberUID
- Read nTGroupMembers
Click Apply and Save
If you make a mistake, you can always go in to the auditing tab and click restore defaults to get you out of trouble :). Repeat this for any Group that you want to monitor.
EventCode 4661 and 4662 will now be logged to your Domain Controllers. To make use out of this event look for accounts that are not admins querying the group membership of administrative groups. i.e Joe Bloggs in Marketing has no reason to query the membership of the Domain Admins group. The following commands have been tested and each log an event in the event log ;)
dsget group "CN=Domain Admins,CN=Users,DC=conf2016,DC=local" -members
get-adgroupmember "Domain Admins"
net group "Domain Admins" /domain
If you are getting excessive 4661 events with SAM_DOMAIN have a look at the following article.
https://support.microsoft.com/en-au/kb/841001
Or alternatively configure the following blacklist in your Splunk inputs.conf under Splunk_TA_windows\local\inputs.conf
blacklist3 = EventCode="4661" Message="SAM_DOMAIN|SAM_ALIAS|SAM_SERVER"
The following steps show you how to configure DNS logging on your DNS server. It is important to test this in a non production environment prior to production. This will need to be configured on each DNS server.
Logon to the DNS server.
Open DNS
Right Click the Server Name and Click Properties
Select Debug Logging Tab | Tick Details | Enter File Path. Make sure the file path exists and try to keep it on a non system drive.
