Hi All,
If you read my previous post in regards to Configuring Audit Logging you will know that I am making a series of blog posts about improving visibility in your network for Security Operations. If you haven't seen it then it is here. http://mickeysecurity.blogspot.com.au/2016/08/my-recommended-windows-active-directory.html
This is Tip 2 in my series of improving visibility in your network. This week I want to cover one of the most used feature of Windows AD. Groups. Groups in AD are used to logically manage users to reduce the requirement to individually add users to SACLs and join users by commonality i.e. "Finance Users" or "Corporate Newsletter". They are 2 Group Types:
- Security - Used to apply security controls to files, folders and Active Directory objects.
- Distribution - A group type that cannot be applied to permissions of files, folders and Active Directory objects.
Why?
As groups
are the predominant source of Access Control in your environment it is
important to ensure that a user is not added to a group when they don't have
approval to do so or do not require that level of permission.
The Threat?
The
biggest threat would be for an external threat to utilise privileged groups to
further their compromise into your network, such as placing them self in the
Domain Admin or Enterprise Admin group. These groups have what we call
'god' like permissions inside of AD. They should be strictly monitored as
failing to monitor these groups could lead to big issues down the track.
A few scenarios that I have seen play out are below.
- Accidental insider threat #1 - A user in your network is trying to run a bespoke application that requires a whole lot more access than any normal application, one of your admins has been spending a week trying to resolve the issue and in frustration adds the users account to Domain Admin to 'make the issue' go away.
- Accidental insider threat #2 - A developer is deploying their new application to production, again the service will not start so the developer adds the service account to domain admin to make the application run.
- Malicious insider threat - An admin in the network (regardless of status) is curious about an upcoming press release but does not have access to the folder that houses the files. They add them self to a group to provide access.
- Malicious External Threat - This is not the easiest to spot, but the easiest to describe. An account has been compromised and the external threat requires to be added to a privileged group to carry out the tasks they need.
What Events?
The event
codes that we are interested in are below (if you don't have any <=2003
hosts then remove that section:
XP-2003
Event Codes
Event
Code 631 - Security Enabled Global Group Created
Event
Code 632 - Security Enabled Global Group Member Added
Event
Code 633 - Security Enabled Global Group Member Removed
Event
Code 634 - Security Enabled Global Group Deleted
Event
Code 653 - Security Disabled Global Group Created
Event
Code 654 - Security Disabled Global Group Changed
Event
Code 657 - Security Disabled Global Group Deleted
Event
Code 655 - Security Disabled Global Group Member Added
Event
Code 656 - Security Disabled Global Group Member Removed
Event
Code 658 - Security Enabled Universal Group Created
Event
Code 659 - Security Enabled Universal Group Changed
Event
Code 660 - Security Enabled Universal Group Member Added
Event
Code 661 - Security Enabled Universal Group Member Removed
Event
Code 662 - Security Enabled Universal Group Deleted
Event
Code 663 - Security Disabled Universal Group Created
Event
Code 665 - Security Disabled Universal Group Member Added
Event
Code 664 - Security Disabled Universal Group Changed
Event
Code 666 - Security Disabled Universal Group Member Removed
Event
Code 667 - Security Disabled Universal Group Deleted
2008+
Event Codes
Event
Code 4749 - A security-disabled global group was created.
Event
Code 4750 - A security-disabled global group was changed
Event
Code 4751 - A member was added to a security-disabled global group.
Event
Code 4752 - A member was removed from a security-disabled global group.
Event
Code 4753 - A security-disabled global group was deleted.
Event
Code 4759 - A security-disabled universal group was created.
Event
Code 4760 - A security-disabled universal group was changed.
Event
Code 4761 - A member was added to a security-disabled universal group.
Event
Code 4762 - A member was removed from a security-disabled universal group.
Event
Code 4763 - A security-disabled universal group was deleted.
Event
Code 4727 - A security-enabled global group was created.
Event
Code 4728 - A member was added to a security-enabled global group.
Event
Code 4729 - A member was removed from a security-enabled global group.
Event
Code 4737 - A security-enabled global group was changed.
Event
Code 4754 - A security-enabled universal group was created.
Event
Code 4755 - A security-enabled universal group was changed.
Event
Code 4756 - A member was added to a security-enabled universal group.
Event
Code 4757 - A member was removed from a security-enabled universal group.
Event
Code 4758 - A security-enabled universal group was deleted.
Event Code
4764 - A groups type was changed.
How Frequent do we want to see these alerts / reports?
Once a
day with a period of the last 24hrs.
Additional Notes?
This is
going to be a large report that's why I scheduled it for once a day. Make
it part of your morning environment health check. You may notice that
exchange servers add some users to groups. I believe this is related to
the use of the exchange management console adding users to group mailbox
accounts or calendar accounts. You can grab the GroupEventCodes.csv from
my googledrive located below.
If you do
not have any 2003 servers then you can remove them from the list.
The search?
index=wineventlog
sourcetype=wineventLog:security [| inputlookup GroupEventCodes.csv] NOT
(Security_ID="NT AUTHORITY*") | fields _time, EventCode, Security_ID,
signature, user_group, dest_nt_domain, action, subject,member,group | eval
subject=mvindex(Security_ID,0) |eval member=mvindex(Security_ID,1) | eval
group=mvindex(Security_ID,2) | table _time,EventCode,subject, signature,
member, group, action, dest_nt_domain | sort _time
Example:
Detailed
Steps:
- Logon to your Splunk server.
I am running off a Windows Server so I am opening up
'http://localhost:8000/en-GB/'
- Click Settings Lookups
- Click 'Add New' beside
Lookup Table files
- Fill in details as per
below then click Save. Use the lookup table from my google drive. (link above)
- Now we need to edit the permissions so that all apps can use the lookup table. Click 'Permissions' beside your new lookup table ‘GroupEventCodes.csv’
- Set permissions as per below
and save.
- Click 'Lookups' to get to
the main Lookup menu.
- Now lets add a lookup definition for Splunk to search against. Click ‘Add New’ beside Lookup definitions.
- Type in details as per
below
- Click the splunk icon in the top left hand corner to go back to your default dashboard.
- Click Search and Reporting
- Copy in the search as
detailed in ‘The search?”, select last 24hrs. Once the search has
completed click 'Save As'.
- Click 'Report'
- Enter Title - 'Group Activity - Last 24 Hours'
- Enter Description - 'This report is generated daily to notify the Administrators of the environment of any changes, adds or deletions to groups in the last 24 hours.'
- Time Range Picker - 'Yes'
- Click Save.
- Click 'Schedule'
- Tick 'Schedule Report' and
fill out as below.
- Click next.
- Tick Send email, fill out
the to address (SMTP will need to be configured for email to successfully
send), then tick 'inline Table'
- Click Save
Thanks for sharing Active Directory Group Policy Management tips. for more info i rfer cion systems Active Directory Group Policy Management in USA.
ReplyDelete