Blueteam Notes

2 minute read

General

  • limit login of DAs to DCs only
  • never run a service with DA privileges
  • check out temporary group memberships (Can have TTL)
  • disable account delegation for sensitive accounts (in ad usersettings)

Attack detection & mitigation

Detect Golden Ticket

  • 4624: Account Logon
  • 4634: Account Logoff
  • 4672: Admin Logon (should be monitored on the dc)

Get-WinEvent -FilterHashtable @{Logname='Security';ID=4672} -MaxEvents 1 |Format-List -Property *

Detect Skeleton Key

  • 7045: A Service was installed in the system.
  • 4673: Sensitive Privilege user (requires audit privileges)
  • 4611: Trusted logon process has been registered with the Local Security Authority (requires audit privileges)

Get-WinEvent -FilterHashtable @{Logname='System';ID=7045} | ?{$_.message -like "*Kernel Mode Driver*"}

Mitigate Skeleton Key

Run lsass.exe as protected process:
New-ItemProperty HKLM:\System\CurrentControlSet\Control\Lsa\ -Name RunAsPPL -Value 1 -Verbose
Check:
Get-WinEvent -FilterHashtable @{Logname='System';ID=12} | ?{$_.message -like "*protected process*"}

Detect DSRM

  • 4657: Audit creating/Change of HKLM:\System\CurrentControlSet\Control\Lsa\DsrmAdminLogonBehaviour

Detect Malicious SSP

  • 4657: Audit/creation of HKLM:\System\CurrentControlSet\Control\Lsa\SecurityPackages

Detect Kerberoast

  • 4769: A Kerberos ticket as requested, Filter: Name != krbtgt, does not end with $, not machine@domain, Failure code is 0x0 (success), ticket encryption is 0x17 (rc4-hmac)

Mitigate Kerberoast

Use strong passwords and manage service accounts (that change their password automatically at set periods)

Detect ACL Scan (requires enabled audit policy)

  • 4662: Operation was performed on an object
  • 5136: directory service object was modified
  • 4670: permissions on an object were changed

Mitigate Trust Attack

  • Enable SID Filtering
  • Enable Selective Authentication (access between forests not automated)

Hardening

Advanced Threat Analytics

  • Traffic for DCs is mirrored to ATA Sensors (or installed on dc as service), activity profile is build
  • Collects 4776 (credential validation of a user) to detect replay attacks, detects behavioral anomalies
  • Detects: account enumeration, netsession enumeration, Brute Force, exposed cleartext credentials, honey tokens, unusual protocols, credential attacks (pth,ptt,ticket replay)
  • Will NOT detect non existent users for golden ticket
  • Detects DCSync, but not DCShadow

LAPS

  • Centralized password storage with periodic randomization, stored in computer objects in fields mc-mcsAdmPwd (cleartext), ms-mcs-AdmPwdExperiationTime

Device Guard

  • Hardens against malware
  • Run trusted code only, enforced in Kernel and Userspace (CCI, UMCI, KMCI)
  • UEFI SEcure Boot protects bios and firmware

Procted Users Group

  • Cannot use CredSSP & Wdigest (no more cleartext creds)
  • NTLM Hash not cached
  • Kerberos does not use DES or RC4
  • Requires at least server 2008, need to test impact, no offline sign-on (no caching), useless for computers and service accounts

Privileged Administrative Workstations

  • Use hardened workstation for performing sensitive tasks

Layered architecture

  • Tier0: Domain Admins/Enterprise Admins
  • Tier1: Significant Resource Access
  • Tier2: Administrator for Workstations / Support etc.

Red Forest

  • ESAE Enhanced Security Admin Environment
  • Dedicated administrative forest for managing critical assets (forests are security boundaries)

Updated: