Enriching Your SOC Investigations with Insights from Active Directory

uh hey everyone uh it's two o'clock so I'm gonna we have started with uh the presentation so hi everyone um my name's Richard Smith I'm presenting on enriching your soft investigations with insights from active directory if you're not here for this the rooms are that way um but I think we'll help between the area so I think we're all pretty much I should know where it's supposed to be by now so that's good cool cool all right so favorite content that's fine hello my name is Richard Smith I am a security operations center consultant and now uh engineer in just defensive cyber security engineering working at security risk advisors um also known as SRA SRA is a consultancy firm uh

headquartered in Philadelphia we have an office in Rochester New York as well um we were mainly with 14 100 clients and large you know companies like that and so I've been focusing on both defending and engineering detections and doing all kinds of defensive work for for those clients for the past uh maybe three years now I've got 13 years experience total in the it field uh going from systems and network engineering through you know being a VMware Consulting so I I've had some some experience of working with active directory in a number of different contacts and industries over the years and um and it's right at the bottom so it's kind of hard to see but

you can find me on Mastodon I do have a mastodon handle it's um yeah I don't know how I pronounce that do I I think I pronounce it which is just a random string of letters that made sense to me at the time and if you want to uh if you want to reach out to me reach out from your Master's on through that um uh so yeah certainly if you have any questions I haven't addressed today you can contact me through Mastodon uh so first off why um uh why this topic um well uh as a stock analyst I have I realized that a lot of my fellow sub analysts um aren't really all that familiar with

how ad works or uh how ad can be useful in their security investigations um and I realized after a few months of working as a defender in the sub that my experience has since admin and systems and network engineer gave me some really advantageous expertise and knowledge and that enabled me to to pass on some insights to my co-workers and um I'm now passing some of that on to you as well because as you'll see that expertise it's not necessarily telling people think father's their first the first sort of line of things that people want to study when they when they get into defensive cyber security but it is vitally important so um apologies to anyone for whom this is way

too basic um but let's let's start with uh is the brief introduction to what exactly active directory is and what it's full so active directory is uh well fully active director of domain Services is Microsoft's um uh she's called reading this light it's Microsoft system for hierarchical storage of data relating to network objects so that could be anything from users groups computers uh policy objects um any any of the any of the objects or the items that you would find in in a in an Enterprise or a small business no that this is how Microsoft stores all that data and presents it for use trafficking all businesses that run Microsoft Windows architecture are using some version of active directory whether

it's on-premises or in the cloud using Azure or some kind of hybrid of the two most businesses are using it so it is is a highly uh you know why do you use technology staff it's highly scalable so active directory can replicate the it can replicate schemas across local you know within within one office within a multi-campus office within a town it can replicate across National or Global infrastructures as well it's um it's usable by anything from small businesses to multinational conglomerates and the same tool set and architecture is is therefore used by anything from a small business to um you know a multinational corporation so yeah it is highly favorable and very Whitely used

and why does it matter for Security Professionals well um no hang on I apologize I have skipped it I skipped it there so um it's in the cloud we have Azure active directory as well as on-prem um I am mainly focusing on on-prem active directory in this talk um simply because um my my experience with active directory has mainly been with on-prem I I am starting to get more experience with Azure ad but I would rather uh I'd rather give you knowledge that I know something about rather than trying to talk about things that I have experience with it's that way like Madness um so yeah and why does it matter okay why does it matter

to infosec professionals well active directory stores an absolute ton of metadata about a given domain Network computer group yeah there's a ton of metadata that is stored in that which is really useful for uh both attackers and Defenders it's highly sought after by attackers and it's really useful to us because it gives us the ability to enrich Stark investigations because of just the sheer amount of data that one can pull out of active directory objects and I'm just going to show you briefly this is just a quick video just of me going through a lab environment and showing just a sheer plethora of data that one can get about an object by looking it up in active directory so

here I am going interactive directory I think I first go to a user object Richard Smith I'm not trying to trust him

okay yeah so we see all this is all most of us at least is manually interested data but here you can see creative and modified Deputy account you see permissions that the account has security settings crew memberships all kinds of things and this is a group object a little ton of attributes you can see in there as well and lastly some information on a computer objects again for my land environment

that's it yeah okay so there you go so that that is just broadly speaking that's what that directory is and that's what you can what you can do with it from a business perspective so uh let's have a look at some useful active directory fields from our perspective as infosec professionals so um there's different types of users uh the proposing user account objects I should say um in active directory so there are just regular user accounts like you would find for an actual human user who's logging into an environment you also find group objects which are in two different kinds there's security groups which are associated with you know permissions to to do certain activities

in the environment and distribution groups which are broadly for you know create an email list Etc and they're also built-in users um this is probably really that you need to know as a as an infosec professional you're going to want to know a bit about the built-in users because those are the ones that are probably more likely to to try and get leverage to play and attack it because a lot of the built-in users are the ones with like root level permissions you also would find exchange objects often if you're using on-prem exchanges with an active directory so you have mailboxes um which are often they're tied into a user account you'll find them within the

user account object you'll also find resource objects for exchange electric directory that would be well the way it looks is that it's a user account that is built purely just to serve as a placeholder for an exchange resource such as a room or a shared mailbox objects like that it's not actually an account that gets logged into yeah and then uh when you when you look into um an AV object just within the usual active directory users and computers tool I just showed um you don't necessarily see all the uh all the attributes of that object um straight away so you'll want to go into uh attribute Editor to see the full list of fields and attributes that an

object has some of them are kind of hidden away and that and you what are you looking at sorry when you look at attribute editor you'll see the full list of fields and you'll see stuff that maybe you wouldn't have known about if you just lifted up using the regular tool set um attribute editor is a it's a tab that's usually available in active directory um Ada duck which is the old GUI and adac which is which is the newer version of this tool the nature editions of Windows server and you can find it yeah on Windows 7 2016 or later you can also download um you can also download these tools for Windows workstations uh via the rsat

package the remote server Administration tools package which is usually available as a Windows feature in most distributions of windows uh yeah I am demonstrating the actually editor so this is the editor on the user objects and you can just see just the sheer number of attributes and Fields that are in there which aren't typically shown when you just go into a regular profile bar you know it's a it's all in there and it's all available when you know how to look um okay so command line tools uh probably most of the uh the best and newest features um the most useful new features I should say for active directory research are available in the in the command line

um whether it's in Powershell or in you know old command line tools so just going going back you know a long time for a while uh the the net command has been available um you know it's really since forever right um and that that command is used you can you can go into the command line and you can query for net computer or net user or net group and that will allow you to add or modify or even just to to View attributes of a computer a user or a group so you can use that as a query to get you know more information on a user if if you need to for instance um so yes as a screenshot here I am

running the net user command on Richard Smith in my lab and any kind of information just comes up by default on on the outside of this amount so you can see I can see the name you can see whether the account's active you can see when it expires if ever you can see when the password was last set um that's that's really useful when you're investigating certain activity through 3sm last log on etc etc in addition sorry in addition to the the command line tools that have been around read for a long time some of the newer features and tools that you can use to make active directory queries are in Powershell um Powershell commandlets provide some

really Advanced really useful functions really with relative ease so um you know here I mean if you um if you're in Powershell you just import the active directory module and um this is basic examples of commandlets that you can use in the active directory module you can get ad user you can get ad computer and you can get all kinds of information from there and if you want more information and more examples on uh of the different commands and all of the pretty pretty uh pretty incredible stuff that's Powershell commandlets can do with active directory there's a link there and I will make this slide deck available after the conference so again here I am you can see at the top there's

the output of get ad user you can see still a lot of that same information there about you know my username um you know all that kind of useful stuff and you can also get AV computer information so you can at the bottom you can see the different aspects of you know what what you can what you can see about a computer object in AV as well so that's all that's all good that's all good stuff um this is where we get into um something that I think is probably a little bit more but I think this is more more advanced and more interesting um 80 detection engineering so um when you when you're armed with a

good knowledge of active directory you can use that to uh to build some really quite uh High Fidelity detections and active Direct in your sim uh and I'm just going to give you a couple of examples one uh being Bloodhound detections and the other being Kerber roasting so I'll just show you how you can build a pretty high fidelity detection for both of those just using some some basic knowledge of active directory and you know logs that are readily available so first of all Bloodhound attack so what is Bloodhound Bloodhound is an attacking tool that allows you to enumerate ad objects and attack paths by uh by to see leveraging um leveraging a privileged user account and

and using it to enumerate the active directory objects from that The Telltale sign in Windows of that attack would be event id4662 um event 84662 tells you that an operation was performed on an object which sounds about as interesting as dishwater um but well and because it is such a such a sort of generic sounding event it's very noisy because every time an operation is performed on an object in active directory you're getting a 4662 you're getting that so if you just turn on event ad4662 and you think aha I'm going to get these event logs and that's going to tell me if we're having a bloodhound attack you're going to just get tons and tons and tons of noise and

it's just going to like fill up all of your sim storage and it's just going to make your life horrible so we need to find a way to reduce that noise and however the High Fidelity detection that's going to actually tell us when something suspicious is actually going on um so yeah how do we do that um well first that would be to create a Honeypot account now I realize based on cat's talk earlier that I'm probably not using the term Honeypot quite correctly I think the term that I'm looking for is a honey prayer or a honey token but still the idea is the same what you're trying to create is you're creating an

account in your system that looks incredibly tempting to a potential attacker you want to take an account that has history so either take an actual old account and repurpose it or find some way to make it look as if the account has history because if you have you know like if you have a a an admin account that was created yesterday um an attacker might be a bit leery of that because they want to see an account that's actually been used um uh you need to yeah you can make it bring something give it a unique uh you know I said SDA because that's that's what you need to give it sort of um group memberships that make it look

very privileged so you know don't have to use actual privilege uh security groups but give it a security group that looks like it might be like create a group because it's that's got no permissions and call it like super admins and then put the Honeywell account in that group so that it looks like it's an incredibly privileged account right um and then limit its logon abilities so it looks like it's an incredibly useful account that an attacker is going to be really tempted by but magnitude can't actually do anything make it so that it can't log on any hour of the day or night or make it only able to log on to a workstation that doesn't

really exist that's a good way to go and I found it quite funny as well um but yeah unless you've done that once you've created your your Honey Pop objects then note down the object good which is going to be somewhere in the attribute editor right you're going to you're going to look through in the attribute editor for that object you're going to find what to give it is and then you can use that information to create a protection within your sim whether it's you know Sentinel or Splunk or you know whatever your sim of choice may be and you can create that protection to alert on 4662 events from that Honeypot account and what that tells us

is that if event 4662 fires and the good on that event is the Honeypot account do it then we know that someone has used that account to try and perform a bloodhound effect which is a pretty sure sign that someone is attacking the environment so that that's how you can uh you can use uh active directory to create some pretty pretty high fidelity indicators of an attack kind of like it's sort of like a rudimentary IDs IPS system and not only can you do this with Bloodhound you can do a very similar thing with Kerber racing um same kind of technique you would instead of 4662 you'd use event code 4769 and that 4769 event code tells you a

kerbero service ticket was requested again it's a pretty noisy Source anytime Kerberos is getting a a ticket request which is pretty frequent you're going to get that event code so again we want to find ways to get rid of the noise and make a high fidelity alert so for Kerber roasting using a unique Honeypot SPM is important what's an SPN it's a service principle name um it's kind of akin to an alias for an active directory username um except it's used uh specifically for service level authentication so for Windows services or application services to authenticate to one another um they wouldn't use a username they would use a service principal name um and the important thing

when you're creating your Honeypot service principle name is it needs to look like it's highly privileged but it needs to be something that is it needs to be like not a real service principle name you can't be actually using it anywhere in production because otherwise you you are potentially giving the attacker access to uh to privileged services so for instance you could create an SPM like AV passwords or you know SQL service stuff or not that but you could make something look like it's it's a really highly privileged system level SPN but just make sure that you're not actually using a real one so then armed with that information you can create the detection to alert on 4769

events from the uh from that Honeypot account from that SPN so what that gives you is if that fires and the service name and the event log is the is the SPM from the honeypub account then you know again someone has used that Honeypot account to perform a collaboration attack um because you're not using that stn anywhere in your environment the only time that would be used would be because somebody has seen that SPN and is trying to leverage it for cover resting does that make sense awesome okay cool um and again that creates a high fidelity indicator of an attack all right so um now we're going to go into popcorn time so everyone ready

this is the interactive bit so we're going to have to we're gonna have to start start thinking um let's say that I receive an alert from sorry there's an alert that you have multiple sales VPN logins I'm going to go back to my screen here because rather than just like looking at this all the time and not looking at you I'm going to stand here um you receive an alert that there's multiple failed VPN logins from the use of Richard Smith they all come from Rochester New York and they all began around 11AM on March 18th 2023. the environment is using single sign-on for VPN um how can we quickly figure out what might be causing this

any thoughts all right well we could run that user for that Richard Smith user and see what the output is we could search for the user and active directory navigate to the object tab and see what the last modified date and time is so we can see when that account was last Modified by looking at 880 all the other alternative would be using adac which is the um it's the newer interface for I think the newer sort of GUI interface for ad you can go in scroll down to extensions click on attribute editor and then have a look at the password last set attribute any of those would point you to the fact that ah this user last set their

password at 10 51 am just before the activity started so if we've got multiple multiple logon failures starting around 11AM on that day and the person just reset their password what's the like what's the most likely explanation forgot their password possibly I'm sorry yeah right yeah but most likely it's cash credentials from like either from a phone or from another device that they haven't updated yeah that's um and that is honestly from from my for my time working in stock it's one of the more common one of the more common tickets that you see um and again you can see the same information there in active directory and and they're in adac as well but all points are the same information

okay so um let's go on to another one we have a username Joe Musashi any uh Shinobi fans Sega the old Sega arcade games no okay all right I'm okay so that reference is completely lost on everyone no worries but uh this user has been added to the restricted Security Group DB underscore read write and this group grants full administrative access to the company's SQL databases can we determine if that indicates a potential elevation of privileged attack is this legit activity or not what's what are some ways we could we determine that

I'm sorry oh like a help desk request okay let's see well the the way that I was where I was going with this was if you look in like a directory and you go to their go to the organization Tab and you note the information that's that's in in the users organization tab in ad um you can see their job title etc etc um same thing in adac you could look for the same information there um however right not all organizations make use of that tab not everyone's going to manually input that information and if that's the case if your doesn't require that information and if we can't determine through any other means um then we need to contact the user's

manager to confirm that this is or you know we could look for a an existing request in the in the system for you know those are those are the other ways that you could go about if you don't have it in active directory and um that conversation might go a little bit like um a little bit like that anyway um but yeah so that's if you look here we can see this person's a principal database architect so having full access to the company's databases kind of makes sense and yeah there you go that's my attempt at humor okay Let's uh let's look at another one so let's say we get an alert that a user

account has been set to never expire you're looking at your directory and you can see that the account is currently disabled and as you look through the history of the account it looks like it's been disabled ever since it was created it never was enabled in the first place as far as you can tell um any possible reasons that we can think of for this situation it was like a new hire created this kind of logged in Paul it's possible that does happen in some organizations yeah um well they they're like they'll create the account but they won't activate it until like the person's first day or something yeah um I'm going in a different direction with

this let's see what kind of account does it sound like based on what we've talked about uh earlier on and I I may have like skipped I may have skimmed over this so this may not have I mean I've properly explained earlier yeah is it a honey account um it could be but um there's perfectly legitimate um reasons why this kind of account would exists in the system as well um are there any types of accounts or user objects in active directory that don't ever actually sign in a conference room yeah let's say I mean it's a Microsoft Exchange mailbox is what it comes down to it really it's just a it's a resource subject of some

kind it could be um yeah a conference room or like a resource account of some kind or another um yeah okay yeah so this is the same thing I'm just giving more information okay um so yeah resource accounts uh created through Microsoft Exchange um they are immediately disabled the password never expires and the user cannot change the password because the password is actually never used the account is never actually logged into it's just there as a kind of placeholder object in ad but it's really an exchange object um uh that's just used like a mailbox um but it's not actually logged into it as an ad account which is why it's disabled um so so yeah so when you see a

situation like that that is the most likely explanation for what you're seeing okay so um that is that is uh that is my talk so in conclusion um active directory is our friend it has a ton of information about users computers networks Etc that you can find really with just a little digging um it's it it's all it's all right there just needs a little bit of digging to find information um many of the the most common uh alerts and uh incidents that you find in a security operations center can be work end to end just as simple ad tools um so no need in most cases no need to escalate it's just if you if you know

how to how to use uh you know simple active directory tools you can work these alerts end to end and do full investigations um and yeah active directory logs can be leveraged to engineer some really high quality High Fidelity detections in your sim and finally knowledge is power so um if you gain some expertise in active directory it's going to make you really stand out from the crowd in in a sock environment and it'll be a very good thing for your in-person career thanks for coming to my TED Talk

so I have some time so any questions from anybody about anything I stun you all over the sites it's amazing I just did such an awesome job okay well if um if anybody wants to grab me afterwards I'm here for the rest of the day I'm happy to talk about anything and nothing and everything so um yeah thank you so much folks and um enjoy the rest of the day thanks [Applause]