Thanks for passing by and looking at my presentation. Below are some areas that I covered in my talk. Hope you enjoy implementing them :). There is some duplicate content from .conf2016 as I wanted to allow my visitors to not have to dig through my blog to get the information they need. If you want me to come in and help you deploy any of these in your environment I will be more than happy to, hit me up on twitter or linked.in.
The Defense - Admin Remote Code Execution Flaw Page
To make this easy I have packaged this up in a zip file. Link below
https://drive.google.com/open?id=0B1rXi_hylyatd0xnb3F4TkFycWM
Here is the splunk search with access_combined.
source="access.log.2" host="splunk" index="main" sourcetype="access_combined" uri_path= /admin_ce_results.html referer="*/admin_ce_healthcheck.html" | stats count by host | table count
The Defense - Spam Trap
For this exercise you will need to setup a valid email account, you should be able to ask your mail administrator to do this for you. The code snippet below will get you on the results list of theharvester only if the address is on your main page associated with your root domain. i.e if your mail domain is blahblah.gov.au make sure that you put the code snippet on https://blahblah.gov.au (hopefully your running https!!!!) website. Other domains even though may be registered to you may not show up. I personally haven't tested the snippet below as a hidden comment so if you do successfully let me know and I will update my blog post :).
Code Snippet
<a href="mailto:dev_webteam@yourorganisation.com.au">Developer contact : dev_webteam@yourorganisation.com.au</a>
Splunk Search
So below I am using our Splunk stream SMTP capture device to pull emails off the wire. The first part of the search can be changed to suit your environment/index but this lets you get an understanding of what you need to do at a high level.
Build list of people sending to your spam catch email, Deduplicate the results, finally output to a csv file and append it.
index=mail sourcetype="stream:smtp" receiver_email="dev_webteam@yourorganisation.com.au" | dedup sender_email | table sender_email | outputlookup append=true spamcatch.csv
Now you can email this csv once a week to your mail administrators by using the following search
|inputlookup spamcatch.csv | dedup sender_email
In addition, you can create this as a search to see who has been sent an email from this address by doing the following. You may find some security incidents this way.
index=mail sourcetype="stream:smtp" receiver_email!="dev_webteam@yourorganisation.com.au" [|inputlookup spamcatch.csv | dedup sender_email] | table sender_email, receiver_email, subject,content_body
The Defense - AD Reconnaissance
How to detect internal reconnaissance of your environment through Windows Auditing and Event Logs.
This portion of the guide is going to show you how to setup group policy and also how to enable logging for certain items in your environment. The advantage of what I am going to show you will provide the defender with a log that is triggered when ever certain attributes of either the Guest account, Domain Admin Group or Enterprise Admin group are queried.
Now that I have presented this topic at a conference attackers may change the way they query groups in the domain excluding queries to the Domain Admin group / Enterprise Admin group. They may start using Schema Admins or exclude those groups completely. The aim of this post is to show you the technique and then you can adopt to your own situation. Ultimately allowing you to create honey users or honey groups!
First steps are to configure group policy to log the new events. The events will be logged on your Domain Controllers in the Security log so look for them there.
Open up group policy management as shown below.
Next Right Click Default Domain Controller Policy and Select Edit
Expand Computer Configuration | Windows Settings | Security Settings | Advanced Audit Policy Configuration | Audit Policies | DS Access
Edit Both Audit Directory Service Access and Audit Directory Service Changes to Success and Failure
Close Group Policy.
Auditing Access to Groups - Honey Groups!!
What we are trying to achieve here is to create an event that will be logged on the Domain Controllers when anyone queries the members or memberof a particular group, limiting the noise as well. Alert noise ultimately means alerts that are not monitored and thats not good!
Open up Active Directory Users and Computers
Make sure that under View, Advanced features is ticked.
As I am using Domain Admins for my example I will select the Users OU
Right Click the Domain Admins Group | Select properties | Select Security | Select Advanced
Click the Auditing Tab | Click Add
The instructions below are inclusive meaning do not untick any boxes that I have not mentioned. Click Add
- Principal - Everyone
- Type - All
- Applies to ‘This Object only’
- Tick the following attributes
- Modify Owner
- Modify Permissions
- Add/Remove self as member
- Read Members
- Read memberOf
- Read memberUID
- Read nTGroupMembers
Click Apply and Save
If you make a mistake, you can always go in to the auditing tab and click restore defaults to get you out of trouble :). Repeat this for any Group that you want to monitor.
EventCode 4661 and 4662 will now be logged to your Domain Controllers. To make use out of this event look for accounts that are not admins querying the group membership of administrative groups. i.e Joe Bloggs in Marketing has no reason to query the membership of the Domain Admins group. The following commands have been tested and each log an event in the event log ;)
dsget group "CN=Domain Admins,CN=Users,DC=conf2016,DC=local" -members
get-adgroupmember "Domain Admins"
net group "Domain Admins" /domain
If you are getting excessive 4661 events with SAM_DOMAIN have a look at the following article.
https://support.microsoft.com/en-au/kb/841001
Or alternatively configure the following blacklist in your Splunk inputs.conf under Splunk_TA_windows\local\inputs.conf
blacklist3 = EventCode="4661" Message="SAM_DOMAIN|SAM_ALIAS|SAM_SERVER"
Auditing Queries to Users - Honey Users!!
What we are trying to achieve here is to create an event that will be logged on the Domain Controllers when anyone queries the memberof a particular user. Warning depending on the location of the user this can be noisy.
Open up Active Directory Users and Computers
Make sure that under View, Advanced features is ticked.
As I am using svc_domain_restore for my example and this user is in the the Users OU
Right Click the user you want to modify, in my example it is svc_domain_restore | Select properties | Select Security | Select Advanced
Applies to 'everyone'
The instructions below are inclusive meaning do not untick any boxes that I have not mentioned. Click Add
- Principal - Everyone
- Type - All
- Applies to ‘This Object only’
- Tick the following attributes
- Read profilePath
- Write profilePath
- Read desktopProfile
- Write desktopProile
- Read Member Of
