{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/active-directory/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Active Directory"],"_cs_severities":["medium"],"_cs_tags":["credential-access","persistence","active-directory","dcsync"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection rule identifies modifications to the \u003ccode\u003enTSecurityDescriptor\u003c/code\u003e attribute within Active Directory (AD) objects that grant DCSync-related permissions to a user or computer account. This technique allows attackers to create a persistent backdoor, enabling them to re-obtain access to user and computer account hashes. The modification involves assigning specific GUIDs that represent replication rights (\u003ccode\u003e1131f6ad-9c07-11d1-f79f-00c04fc2dcd2\u003c/code\u003e, \u003ccode\u003e1131f6aa-9c07-11d1-f79f-00c04fc2dcd2\u003c/code\u003e, \u003ccode\u003e89e95b76-444d-4c62-991a-0facbeda640c\u003c/code\u003e) to an account\u0026rsquo;s security descriptor. This allows the attacker to then use DCSync to retrieve credentials from the domain, effectively bypassing normal authentication mechanisms.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to an account with sufficient privileges to modify Active Directory objects (e.g., Domain Admin).\u003c/li\u003e\n\u003cli\u003eThe attacker uses AD management tools (PowerShell, ADSI Edit, etc.) to target a specific user or computer account.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the \u003ccode\u003enTSecurityDescriptor\u003c/code\u003e attribute of the targeted account.\u003c/li\u003e\n\u003cli\u003eThe attacker grants replication rights to the targeted account by adding specific Access Control Entries (ACEs) containing the GUIDs \u003ccode\u003e1131f6ad-9c07-11d1-f79f-00c04fc2dcd2\u003c/code\u003e, \u003ccode\u003e1131f6aa-9c07-11d1-f79f-00c04fc2dcd2\u003c/code\u003e, and \u003ccode\u003e89e95b76-444d-4c62-991a-0facbeda640c\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the DCSync technique, impersonating a domain controller, to request password hashes.\u003c/li\u003e\n\u003cli\u003eThe Active Directory server, believing the request is legitimate due to the granted replication rights, provides the attacker with the requested credential information.\u003c/li\u003e\n\u003cli\u003eThe attacker obtains password hashes for domain users and computers.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the obtained credentials for lateral movement, privilege escalation, or data exfiltration.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to compromise the entire Active Directory domain by gaining access to sensitive credential data. This could lead to complete control over the network, including access to critical systems, sensitive data, and the ability to disrupt business operations. The modification of security descriptors creates a persistent backdoor that can be used repeatedly to harvest credentials.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Audit Directory Service Changes to generate the necessary event logs for detection (\u003ca href=\"https://ela.st/audit-directory-service-changes)\"\u003ehttps://ela.st/audit-directory-service-changes)\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule provided below to detect unauthorized modifications to the \u003ccode\u003enTSecurityDescriptor\u003c/code\u003e attribute. Tune the rule to exclude legitimate administrative accounts or scripts that may perform authorized modifications.\u003c/li\u003e\n\u003cli\u003eMonitor Windows Security Event Logs (event code 5136) for changes to the \u003ccode\u003enTSecurityDescriptor\u003c/code\u003e attribute and investigate any unexpected modifications, focusing on the presence of DCSync-related GUIDs.\u003c/li\u003e\n\u003cli\u003eRegularly review and audit Active Directory permissions, focusing on accounts with replication rights, to ensure they are legitimate and necessary.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T14:17:05Z","date_published":"2026-05-04T14:17:05Z","id":"/briefs/2026-05-dcsync-backdoor/","summary":"Attackers can modify Active Directory object security descriptors to grant DCSync rights to unauthorized accounts, creating a backdoor to extract credential data.","title":"Potential Active Directory Replication Account Backdoor","url":"https://feed.craftedsignal.io/briefs/2026-05-dcsync-backdoor/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8,"id":"CVE-2026-33826"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["cve-2026-33826","active-directory","code-execution","vulnerability"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-33826 is a vulnerability affecting Windows Active Directory. It stems from improper input validation, potentially enabling an authenticated attacker positioned on an adjacent network to achieve remote code execution. The vulnerability\u0026rsquo;s impact is significant, as successful exploitation could allow attackers to gain control over critical domain infrastructure. The CVE was published on 2026-04-14. While the specific attack vector isn\u0026rsquo;t detailed in the initial vulnerability description, the adjacent network requirement suggests that the attacker must be on the same physical or logical network segment as the targeted Active Directory server. Exploitation requires an authenticated user, limiting the scope of potential attackers to those with existing domain credentials.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e An attacker gains valid credentials within the Active Directory domain through compromised accounts or other means.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eNetwork Proximity:\u003c/strong\u003e The attacker positions themselves on the same physical or logical network segment as the target Active Directory server.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eVulnerability Trigger:\u003c/strong\u003e The attacker crafts a malicious request containing invalid input designed to exploit the input validation flaw in Active Directory. This request could target a specific Active Directory service or API.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExploitation:\u003c/strong\u003e Active Directory processes the malicious request, failing to properly validate the input, and executing attacker-controlled code within the context of the Active Directory service.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation:\u003c/strong\u003e The attacker leverages the initially gained code execution to escalate privileges within the Active Directory environment, potentially targeting domain administrator rights.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement:\u003c/strong\u003e With elevated privileges, the attacker moves laterally across the network, compromising additional systems and services within the domain.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence:\u003c/strong\u003e The attacker establishes persistent access to the Active Directory environment, ensuring continued control even after system restarts or security mitigations.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eObjective:\u003c/strong\u003e The attacker achieves their final objective, such as data exfiltration, service disruption, or deployment of ransomware across the compromised network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-33826 could lead to complete compromise of the Active Directory domain. This could result in widespread data breaches, service outages, and significant financial losses. The vulnerability affects any organization relying on Windows Active Directory for authentication and authorization, making it a high-impact threat. The number of potential victims is vast, spanning across various sectors including government, finance, healthcare, and technology.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the security update provided by Microsoft for CVE-2026-33826 as soon as possible to remediate the underlying vulnerability (\u003ca href=\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33826)\"\u003ehttps://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33826)\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eMonitor Active Directory servers for suspicious network connections originating from adjacent networks that may indicate exploitation attempts.\u003c/li\u003e\n\u003cli\u003eImplement stricter input validation controls within Active Directory environments to prevent similar vulnerabilities in the future.\u003c/li\u003e\n\u003cli\u003eMonitor event logs on Active Directory servers for unexpected process creation or code execution events that may be related to this vulnerability.\u003c/li\u003e\n\u003cli\u003eImplement the provided Sigma rule to detect suspicious process creations related to potential exploitation attempts on Active Directory servers.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-15T12:00:00Z","date_published":"2026-04-15T12:00:00Z","id":"/briefs/2026-04-active-directory-code-execution/","summary":"An improper input validation vulnerability (CVE-2026-33826) in Windows Active Directory could allow an authenticated attacker on an adjacent network to execute code.","title":"CVE-2026-33826: Windows Active Directory Improper Input Validation Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-active-directory-code-execution/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["privilege-escalation","defense-evasion","persistence","initial-access","active-directory"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThis threat brief focuses on the modification of the \u003ccode\u003emsDS-ManagedAccountPrecededByLink\u003c/code\u003e attribute within Active Directory via PowerShell scripts. This activity is flagged as potentially malicious because it could be indicative of an attempt to exploit the \u0026lsquo;BadSuccessor\u0026rsquo; privilege escalation vulnerability in Windows Server 2025. The vulnerability, as outlined in Akamai\u0026rsquo;s research, allows attackers to manipulate managed service account (dMSA) links to gain elevated privileges. The detection is based on identifying specific PowerShell script patterns that include \u003ccode\u003e.Put(\u0026quot;msDS-ManagedAccountPrecededByLink'\u003c/code\u003e and \u003ccode\u003eCN=\u003c/code\u003e, which are used to modify these critical AD attributes. Defenders should be aware that legitimate administrative tasks might also trigger this detection, so careful tuning and validation are necessary.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e An attacker gains initial access to a system with sufficient privileges to execute PowerShell scripts, possibly through compromised credentials or other initial access vectors (T1078.002).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDiscovery:\u003c/strong\u003e The attacker uses PowerShell to enumerate existing dMSAs and their associated \u003ccode\u003emsDS-ManagedAccountPrecededByLink\u003c/code\u003e attributes.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAttribute Modification:\u003c/strong\u003e The attacker crafts a PowerShell script to modify the \u003ccode\u003emsDS-ManagedAccountPrecededByLink\u003c/code\u003e attribute of a target dMSA. This involves using the \u003ccode\u003e.Put(\u0026quot;msDS-ManagedAccountPrecededByLink\u0026quot;\u003c/code\u003e command and specifying a new distinguished name (\u003ccode\u003eCN=\u003c/code\u003e) for the preceding account.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence:\u003c/strong\u003e The attacker leverages the modified dMSA link to establish a persistent foothold in the environment by gaining control over the targeted dMSA.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation:\u003c/strong\u003e By manipulating the dMSA links, the attacker effectively inherits the permissions and privileges associated with the compromised dMSA, thereby escalating their own privileges.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDefense Evasion:\u003c/strong\u003e The attacker may attempt to evade detection by obfuscating the PowerShell script or using other techniques to hide their activity.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement:\u003c/strong\u003e With elevated privileges, the attacker can move laterally within the network, accessing sensitive resources and systems.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of the \u0026lsquo;BadSuccessor\u0026rsquo; vulnerability through modification of the \u003ccode\u003emsDS-ManagedAccountPrecededByLink\u003c/code\u003e attribute can lead to complete domain compromise. An attacker can gain control over critical services and data, potentially resulting in data breaches, service disruptions, and significant financial losses. The impact is amplified in environments heavily reliant on Active Directory for authentication and authorization.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM and tune for your environment to detect potentially malicious modifications to dMSA link attributes via PowerShell (logsource: ps_script, product: windows).\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts triggered by the Sigma rule to determine if the activity is legitimate or indicative of an attempted exploitation of the \u0026lsquo;BadSuccessor\u0026rsquo; vulnerability.\u003c/li\u003e\n\u003cli\u003eImplement strict access controls and monitoring for systems and accounts with the ability to modify Active Directory attributes.\u003c/li\u003e\n\u003cli\u003eReview and harden Active Directory security configurations to prevent unauthorized modification of sensitive attributes.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-30T10:27:13Z","date_published":"2026-03-30T10:27:13Z","id":"/briefs/2024-01-30-dmsa-link-mod/","summary":"Detection of PowerShell scripts modifying the msDS-ManagedAccountPrecededByLink attribute, potentially indicating exploitation of the BadSuccessor privilege escalation vulnerability in Windows Server 2025.","title":"Potential Abuse of msDS-ManagedAccountPrecededByLink for Privilege Escalation","url":"https://feed.craftedsignal.io/briefs/2024-01-30-dmsa-link-mod/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Active Directory"],"_cs_severities":["medium"],"_cs_tags":["persistence","privilege-escalation","windows","active directory"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection identifies a user being added to an Active Directory (AD) group by the SYSTEM account (S-1-5-18). This behavior is significant because it can indicate an attacker who has successfully achieved SYSTEM level privileges on a domain controller. Attackers typically obtain SYSTEM privileges by exploiting vulnerabilities in the domain controller, or by abusing default group privileges such as those assigned to Server Operators. Once SYSTEM access is achieved, the attacker can then attempt to pivot to a domain account. This allows them to gain persistent access and control over the AD environment. Successful exploitation enables attackers to perform actions with the privileges of the compromised account, leading to potential data breaches, system compromise, and further lateral movement within the network.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e An attacker gains initial access to the network through various means, such as phishing or exploiting a public-facing application.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation:\u003c/strong\u003e The attacker exploits a vulnerability or misconfiguration on a system within the network to achieve local administrator or SYSTEM privileges.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDomain Controller Compromise:\u003c/strong\u003e The attacker uses their elevated privileges to target a domain controller, exploiting vulnerabilities or weak configurations to gain SYSTEM access on the domain controller itself.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eGroup Modification:\u003c/strong\u003e Once the attacker has SYSTEM privileges on a domain controller, they use this access to add a user account to a privileged Active Directory group. This is done by modifying the group membership using tools native to the operating system.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence:\u003c/strong\u003e By adding a user account to a privileged group, the attacker ensures they have persistent access to the domain, even if their initial access method is discovered and blocked.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement:\u003c/strong\u003e With the newly acquired group membership, the attacker can now move laterally within the network, accessing resources and systems that were previously inaccessible.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Exfiltration / Impact:\u003c/strong\u003e The attacker leverages their access to locate and exfiltrate sensitive data, or to disrupt critical business operations.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to a wide range of negative consequences, including data breaches, system compromise, and disruption of critical business operations. Attackers can use the compromised account to access sensitive data, modify system configurations, or even deploy ransomware. The scope of impact depends on the permissions and privileges associated with the compromised account and the targeted resources. Furthermore, the incident can damage the organization\u0026rsquo;s reputation and result in regulatory fines and legal liabilities.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable \u0026ldquo;Audit Security Group Management\u0026rdquo; to generate the necessary events for detection as detailed in the \u003ca href=\"https://ela.st/audit-security-group-management\"\u003esetup instructions\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the following Sigma rule to detect potential Active Directory group modifications by the SYSTEM account and tune for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any event with event code 4728 where the SubjectUserSid is \u0026ldquo;S-1-5-18\u0026rdquo; as described in the \u003ca href=\"#overview\"\u003eoverview\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eReview the investigation guide outlined in the rule description for triage and analysis steps.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-11-02T23:59:00Z","date_published":"2024-11-02T23:59:00Z","id":"/briefs/2024-11-ad-group-modification-by-system/","summary":"Detection of a user being added to an Active Directory group by the SYSTEM account (S-1-5-18) can indicate an attacker with SYSTEM privileges attempting to pivot to a domain account.","title":"Active Directory Group Modification by SYSTEM Account","url":"https://feed.craftedsignal.io/briefs/2024-11-ad-group-modification-by-system/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["low"],"_cs_tags":["credential-access","windows","active-directory"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eActive Directory Integrated DNS (ADIDNS) is a core component of AD DS, storing DNS zones as AD objects. The default permission settings allow any authenticated user to create DNS-named records. This creates an opportunity for attackers to perform Dynamic Spoofing attacks by monitoring LLMNR/NBT-NS requests and creating DNS-named records to target systems or specific services like WPAD. This attack can enable credential access by redirecting traffic through attacker-controlled systems, leading to the capture of sensitive information. This activity is detectable by monitoring Windows event code 5137 related to DNS record creation and filtering out legitimate system accounts.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to a domain-joined system, possibly through compromised credentials or phishing.\u003c/li\u003e\n\u003cli\u003eThe attacker passively monitors LLMNR/NBT-NS broadcast traffic to identify systems being requested on the network.\u003c/li\u003e\n\u003cli\u003eUpon observing a request for a target system (e.g., WPAD), the attacker creates a DNS-named record in ADIDNS that resolves the target system\u0026rsquo;s name to an attacker-controlled IP address. This leverages the default permissions in ADIDNS that allow authenticated users to create DNS records.\u003c/li\u003e\n\u003cli\u003eWhen a legitimate user attempts to access the target system, the DNS query resolves to the attacker\u0026rsquo;s IP address.\u003c/li\u003e\n\u003cli\u003eThe user\u0026rsquo;s traffic is redirected to the attacker\u0026rsquo;s system.\u003c/li\u003e\n\u003cli\u003eThe attacker intercepts the user\u0026rsquo;s credentials or other sensitive information.\u003c/li\u003e\n\u003cli\u003eThe attacker may relay captured credentials to other systems on the network.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves credential access and lateral movement within the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to intercept network traffic, steal credentials, and potentially gain unauthorized access to sensitive systems and data within the Active Directory domain. While the severity is low, it can be a stepping stone to further, more damaging attacks.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable \u0026ldquo;Audit Directory Service Changes\u0026rdquo; to generate the necessary Windows Security Event Logs (event code 5137) for detection.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eCreation of a DNS-Named Record\u003c/code\u003e to detect suspicious DNS record creation events.\u003c/li\u003e\n\u003cli\u003eImplement stricter access controls on DNS record creation within Active Directory to limit permissions to only necessary and trusted accounts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-05-22T12:00:00Z","date_published":"2024-05-22T12:00:00Z","id":"/briefs/2024-05-adidns-record-creation/","summary":"Detection of DNS record creation by non-system accounts within Active Directory Integrated DNS (ADIDNS), which attackers can abuse to perform Dynamic Spoofing attacks, potentially targeting services like WPAD for credential access.","title":"Suspicious DNS-Named Record Creation in Active Directory Integrated DNS","url":"https://feed.craftedsignal.io/briefs/2024-05-adidns-record-creation/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Active Directory Integrated DNS (ADIDNS)"],"_cs_severities":["high"],"_cs_tags":["credential-access","adidns","windows","active-directory"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eActive Directory Integrated DNS (ADIDNS) stores DNS zones as Active Directory objects, which, while providing access control and replication benefits, introduces security issues. A significant concern is the creation of wildcard records due to the default permission allowing any authenticated user to create DNS-named records. By exploiting this, attackers can establish wildcard records to redirect traffic for domain names lacking explicit DNS records, effectively positioning themselves as an adversary-in-the-middle. This manipulation of ADIDNS can lead to credential interception or relay attacks, similar to LLMNR/NBNS spoofing. This poses a high risk to organizations relying on ADIDNS for domain consistency and secure name resolution.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker authenticates to the domain.\u003c/li\u003e\n\u003cli\u003eAttacker leverages existing privileges to create a wildcard DNS record (A record) within an ADIDNS zone.\u003c/li\u003e\n\u003cli\u003eThe wildcard record is created with a DN like \u003ccode\u003eDC=*,DC=example.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=example,DC=com\u003c/code\u003e, where \u003ccode\u003eDC=*\u003c/code\u003e signifies the wildcard. Event ID 5137 is generated.\u003c/li\u003e\n\u003cli\u003eThe wildcard record points to a malicious server controlled by the attacker.\u003c/li\u003e\n\u003cli\u003eA client attempts to resolve a domain name that does not have an explicit DNS record.\u003c/li\u003e\n\u003cli\u003eDue to the wildcard record, the DNS query resolves to the attacker\u0026rsquo;s malicious server.\u003c/li\u003e\n\u003cli\u003eThe client connects to the attacker\u0026rsquo;s server, potentially exposing credentials or other sensitive information.\u003c/li\u003e\n\u003cli\u003eThe attacker intercepts or relays the client\u0026rsquo;s traffic, gaining unauthorized access or control.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to intercept network traffic, steal credentials, and potentially gain control over systems within the affected domain. The impact includes unauthorized access to sensitive data, lateral movement within the network, and potential compromise of critical domain services. This can affect any organization using Active Directory Integrated DNS, leading to widespread disruption and data breaches.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable \u0026ldquo;Audit Directory Service Changes\u0026rdquo; to generate the necessary Windows Security Event Logs (5137) for detecting ADIDNS wildcard record creation as described in the \u003ca href=\"https://ela.st/audit-directory-service-changes\"\u003esetup instructions\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Potential ADIDNS Poisoning via Wildcard Record Creation\u0026rdquo; to detect the creation of wildcard DNS records in ADIDNS based on Windows Event ID 5137.\u003c/li\u003e\n\u003cli\u003eReview and restrict ADIDNS permissions for DNS zones to limit wildcard-creation opportunities, focusing on authenticated-user create-child rights.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on \u003ccode\u003ewinlog.event_data.ObjectDN\u003c/code\u003e, \u003ccode\u003euser.name\u003c/code\u003e, and the originating session as outlined in the rule\u0026rsquo;s \u003ccode\u003enote\u003c/code\u003e field.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-05-03T14:58:00Z","date_published":"2024-05-03T14:58:00Z","id":"/briefs/2024-05-adidns-wildcard/","summary":"Attackers can create wildcard records in Active Directory Integrated DNS (ADIDNS) to redirect traffic, enabling adversary-in-the-middle attacks for credential interception or relay.","title":"Potential ADIDNS Poisoning via Wildcard Record Creation","url":"https://feed.craftedsignal.io/briefs/2024-05-adidns-wildcard/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Active Directory Web Service"],"_cs_severities":["medium"],"_cs_tags":["active-directory","enumeration","adws","discovery","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThe Active Directory Web Service (ADWS) facilitates querying Active Directory (AD) over a network, providing a web-based interface for directory services. Adversaries may exploit ADWS to enumerate network resources and user accounts, gaining insights into the environment. This attack involves loading Active Directory related modules and establishing network connections to the ADWS dedicated TCP port 9389. The goal is to gather information about the domain, user accounts, and permissions, which can be used for lateral movement, privilege escalation, and data exfiltration. Detection focuses on identifying suspicious processes loading \u003ccode\u003eSystem.DirectoryServices*.dll\u003c/code\u003e or \u003ccode\u003eSystem.IdentityModel*.dll\u003c/code\u003e and then connecting to the ADWS port.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a compromised host within the target network.\u003c/li\u003e\n\u003cli\u003eThe attacker executes a reconnaissance tool or script (e.g., PowerShell) on the compromised host.\u003c/li\u003e\n\u003cli\u003eThe reconnaissance tool loads Active Directory related modules such as \u003ccode\u003eSystem.DirectoryServices*.dll\u003c/code\u003e and \u003ccode\u003eSystem.IdentityModel*.dll\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe reconnaissance tool attempts to establish a network connection to the ADWS service on TCP port 9389, the dedicated port for ADWS.\u003c/li\u003e\n\u003cli\u003eThe tool queries ADWS to retrieve information about domain users (T1087.002), groups (T1069.002), systems (T1018), and permissions.\u003c/li\u003e\n\u003cli\u003eThe attacker analyzes the gathered information to identify privileged accounts and potential targets for lateral movement.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the discovered information to move laterally within the network.\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges, and exfiltrates sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to gain detailed knowledge of the Active Directory environment. This information can be used to identify high-value targets, compromise privileged accounts, move laterally within the network, and ultimately achieve their objectives, which could include data theft, ransomware deployment, or disruption of services. The impact can range from data breaches to complete compromise of the Active Directory domain, depending on the attacker\u0026rsquo;s goals and the level of access they achieve.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Potential ADWS Enumeration via Suspicious Library Loading\u0026rdquo; to detect processes loading AD-related DLLs (e.g., \u003ccode\u003eSystem.DirectoryServices*.dll\u003c/code\u003e, \u003ccode\u003eSystem.IdentityModel*.dll\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Potential ADWS Enumeration via Network Connection\u0026rdquo; to monitor for network connections to destination port 9389 from unusual processes.\u003c/li\u003e\n\u003cli\u003eReview and whitelist legitimate administrative tools or scripts that load Active Directory-related modules and connect to the ADWS port as described in the \u0026ldquo;False positive analysis\u0026rdquo; section of the original rule documentation.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit access to the ADWS port (9389) to only trusted systems and users.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-31T00:00:00Z","date_published":"2024-01-31T00:00:00Z","id":"/briefs/2024-01-adws-enumeration/","summary":"Adversaries may abuse the Active Directory Web Service (ADWS) to enumerate network resources and user accounts, by loading AD-related modules followed by a network connection to the ADWS dedicated TCP port.","title":"Potential Enumeration via Active Directory Web Service","url":"https://feed.craftedsignal.io/briefs/2024-01-adws-enumeration/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Active Directory"],"_cs_severities":["medium"],"_cs_tags":["kerberos","credential-access","as-rep-roasting","active-directory","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection identifies instances where the Kerberos pre-authentication requirement is disabled for a user account within an Active Directory environment. Attackers with \u003ccode\u003eGenericWrite\u003c/code\u003e or \u003ccode\u003eGenericAll\u003c/code\u003e permissions over a target account can modify the \u003ccode\u003eUserAccountControl\u003c/code\u003e attribute to disable pre-authentication. This configuration weakens the account\u0026rsquo;s security posture, making it vulnerable to AS-REP roasting attacks, where attackers can request Kerberos tickets and crack the password offline. The activity is logged as Event ID 4738 in the Windows Security Event Logs, specifically when the \u003ccode\u003eNewUACList\u003c/code\u003e includes the \u003ccode\u003eUSER_DONT_REQUIRE_PREAUTH\u003c/code\u003e flag. This poses a significant risk, especially if applied to privileged accounts, as it allows adversaries to potentially compromise credentials and escalate privileges within the domain. The detection is based on research and recommendations from Microsoft regarding Kerberos security best practices.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e An attacker gains unauthorized access to an account with sufficient privileges (e.g., Domain Admin, or an account with delegated permissions) to modify user account attributes in Active Directory.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation:\u003c/strong\u003e The attacker leverages their initial access to target a specific user account for which they intend to disable Kerberos pre-authentication.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAccount Modification:\u003c/strong\u003e The attacker modifies the \u003ccode\u003eUserAccountControl\u003c/code\u003e attribute of the target user account, specifically disabling the \u0026ldquo;Do not require pre-authentication\u0026rdquo; setting (setting the \u003ccode\u003eUSER_DONT_REQUIRE_PREAUTH\u003c/code\u003e flag). This is often done using tools like \u003ccode\u003eActive Directory Users and Computers\u003c/code\u003e or PowerShell cmdlets.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eEvent Logging:\u003c/strong\u003e The modification triggers a Windows Security Event Log event (Event ID 4738) on the Domain Controller, indicating that the user account attribute has been changed. The \u003ccode\u003eNewUACList\u003c/code\u003e field in the event data contains \u003ccode\u003eUSER_DONT_REQUIRE_PREAUTH\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAS-REQ Request:\u003c/strong\u003e The attacker crafts an AS-REQ (Authentication Service Request) to the Kerberos Key Distribution Center (KDC) for the targeted user account. Since pre-authentication is disabled, the KDC processes the request without requiring pre-authentication.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAS-REP Response:\u003c/strong\u003e The KDC issues an AS-REP (Authentication Service Response) to the attacker, containing an encrypted Ticket Granting Ticket (TGT) for the targeted user account.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eOffline Cracking:\u003c/strong\u003e The attacker extracts the encrypted TGT from the AS-REP response and attempts to crack it offline using password cracking tools and techniques, such as hashcat or John the Ripper.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCredential Access:\u003c/strong\u003e Upon successfully cracking the TGT, the attacker obtains the plaintext password for the targeted user account. This password can then be used for lateral movement, privilege escalation, and further malicious activities within the domain.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eCompromising user accounts through AS-REP roasting can have significant consequences. Attackers can gain unauthorized access to sensitive resources, escalate privileges, and move laterally within the network. Successful AS-REP roasting leads to credential compromise, which could result in data breaches, system compromise, and disruption of services. Organizations failing to monitor and prevent Kerberos pre-authentication disabling are at an increased risk of credential theft and subsequent exploitation, potentially affecting all systems within the compromised domain.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable \u0026ldquo;Audit User Account Management\u0026rdquo; and ensure Windows Security Event Logs (specifically Event ID 4738) are being collected and forwarded to your SIEM for analysis as described in the setup instructions linked in the rule source.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to detect Event ID 4738 events where the \u003ccode\u003eNewUACList\u003c/code\u003e contains \u003ccode\u003eUSER_DONT_REQUIRE_PREAUTH\u003c/code\u003e within your environment to identify potential AS-REP roasting vulnerabilities.\u003c/li\u003e\n\u003cli\u003eInvestigate any instances of disabled pre-authentication, especially on privileged accounts, following the triage steps outlined in the rule documentation.\u003c/li\u003e\n\u003cli\u003eEnforce the principle of least privilege by reviewing and restricting the privileges assigned to users and groups to prevent unauthorized modification of Active Directory user account attributes.\u003c/li\u003e\n\u003cli\u003eMonitor for suspicious Kerberos authentication patterns and investigate any anomalies that might indicate AS-REP roasting attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-28T12:00:00Z","date_published":"2024-01-28T12:00:00Z","id":"/briefs/2024-01-28-kerberos-preauth-disabled/","summary":"Detection of Kerberos pre-authentication being disabled for a user account, potentially leading to AS-REP roasting and offline password cracking by attackers with GenericWrite or GenericAll rights over the account.","title":"Kerberos Pre-authentication Disabled for User Account","url":"https://feed.craftedsignal.io/briefs/2024-01-28-kerberos-preauth-disabled/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Active Directory"],"_cs_severities":["medium"],"_cs_tags":["privilege-escalation","credential-roaming","active-directory","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThe msPKIAccountCredentials attribute in Active Directory stores encrypted credential data, including private keys and certificates. An attacker can modify this attribute to escalate privileges by overwriting an arbitrary file. This is achieved by modifying the msPKIAccountCredentials attribute of a user object with malicious credential objects. Successful exploitation allows the attacker to gain elevated privileges within the domain. The attack leverages the Windows credential roaming feature to inject these malicious credentials. This activity is detected via event code 5136 in the Windows Security Event Logs.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a domain-joined system, possibly through compromised credentials or phishing.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a target Active Directory user account to manipulate.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious payload containing an encrypted credential object.\u003c/li\u003e\n\u003cli\u003eThe attacker uses a tool or script (e.g., PowerShell, adsiedit.msc) to modify the target user\u0026rsquo;s msPKIAccountCredentials attribute in Active Directory.\u003c/li\u003e\n\u003cli\u003eThe attacker triggers credential roaming, causing the modified attribute to be propagated to other domain-joined systems where the target user logs in.\u003c/li\u003e\n\u003cli\u003eWhen the target user logs in, the malicious credential object is processed, potentially overwriting a critical system file.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the overwritten file to execute arbitrary code with elevated privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves privilege escalation and gains further access to the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful modification of the msPKIAccountCredentials attribute can lead to complete domain compromise. Attackers can gain control over critical systems and data within the Active Directory environment. While the exact number of potential victims is unknown, any organization utilizing Active Directory is potentially vulnerable. This attack allows for lateral movement, data exfiltration, and potentially the deployment of ransomware.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable \u0026ldquo;Audit Directory Service Changes\u0026rdquo; to generate the necessary event logs (\u003ca href=\"https://ela.st/audit-directory-service-changes)\"\u003ehttps://ela.st/audit-directory-service-changes)\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eModification of msPKIAccountCredentials in Active Directory\u003c/code\u003e to detect suspicious modifications of the attribute.\u003c/li\u003e\n\u003cli\u003eReview and harden Active Directory access controls, limiting which accounts can modify the \u003ccode\u003emsPKIAccountCredentials\u003c/code\u003e attribute.\u003c/li\u003e\n\u003cli\u003eMonitor event code 5136 in the Windows Security Event Logs for modifications to the \u003ccode\u003emsPKIAccountCredentials\u003c/code\u003e attribute.\u003c/li\u003e\n\u003cli\u003eCreate exceptions in your SIEM for authorized administrative accounts that legitimately modify this attribute to reduce false positives as described in the \u0026ldquo;False positive analysis\u0026rdquo; section above.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-26T18:25:00Z","date_published":"2024-01-26T18:25:00Z","id":"/briefs/2024-01-cred-roaming/","summary":"Attackers can modify the msPKIAccountCredentials attribute in Active Directory user objects to abuse credential roaming, potentially overwriting files for privilege escalation, by injecting malicious credential objects.","title":"Active Directory msPKIAccountCredentials Modification","url":"https://feed.craftedsignal.io/briefs/2024-01-cred-roaming/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Active Directory"],"_cs_severities":["high"],"_cs_tags":["credential-access","privilege-escalation","windows","active-directory"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThe DCSync attack is a technique used to retrieve credential information from Active Directory, potentially leading to complete domain compromise. This attack involves initiating the Active Directory replication process, which is normally reserved for domain controllers. This detection identifies user accounts initiating this process for the first time, which can be an indicator of malicious activity. This activity is detected via Windows Security Event Logs and focuses on the identification of the initial use of replication protocols. Attackers exploit this to steal credentials or sensitive data stored within the Active Directory. This technique can be used to escalate privileges and move laterally within the network, eventually leading to data exfiltration or other malicious objectives.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system within the target network.\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges to obtain the necessary rights to perform DCSync. This may involve exploiting vulnerabilities or using stolen credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker uses a tool like Mimikatz or custom scripts to initiate the Active Directory replication process.\u003c/li\u003e\n\u003cli\u003eThe tool requests replication of directory data, specifically targeting credential information. This involves using the \u003ccode\u003eDS-Replication-Get-Changes\u003c/code\u003e or similar replication-right GUIDs.\u003c/li\u003e\n\u003cli\u003eThe Active Directory server responds by providing the requested data, which includes password hashes and other sensitive information.\u003c/li\u003e\n\u003cli\u003eThe attacker extracts the credential information from the replicated data.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the extracted credentials to move laterally within the network and access other systems or data.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, such as data exfiltration, ransomware deployment, or long-term persistence.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful DCSync attack can lead to the compromise of the entire Active Directory domain. This can result in widespread data breaches, loss of sensitive information, and significant disruption to business operations. Attackers can gain access to critical systems and data, potentially leading to financial losses, reputational damage, and legal liabilities. The number of potential victims is dependent on the size of the compromised Active Directory environment.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable \u0026ldquo;Audit Directory Service Access\u0026rdquo; to generate the necessary Windows Security Event Logs (event code 4662) as described in the \u003ca href=\"https://ela.st/audit-directory-service-access\"\u003esetup instructions\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect First Time DCSync Activity\u0026rdquo; to your SIEM and tune for your environment to identify suspicious DCSync behavior.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the \u003ccode\u003eSubjectUserSid\u003c/code\u003e, \u003ccode\u003eSubjectUserName\u003c/code\u003e, \u003ccode\u003eProperties\u003c/code\u003e, \u003ccode\u003eAccessMask\u003c/code\u003e, and \u003ccode\u003ecomputer_name\u003c/code\u003e fields in the Windows Security Event Logs.\u003c/li\u003e\n\u003cli\u003eMonitor for changes to Active Directory object permissions (5136 events) that could grant unauthorized users DCSync capabilities as outlined in the triage and analysis steps.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-25T12:00:00Z","date_published":"2024-01-25T12:00:00Z","id":"/briefs/2024-01-25-dcsync-new-account/","summary":"Detection of a user account initiating the Active Directory replication process for the first time, potentially indicating a DCSync attack for credential theft and domain compromise.","title":"First Time Seen Account Performing DCSync","url":"https://feed.craftedsignal.io/briefs/2024-01-25-dcsync-new-account/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Active Directory"],"_cs_severities":["high"],"_cs_tags":["credential-access","persistence","windows","active-directory"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThe SeEnableDelegationPrivilege user right, when assigned to a security principal, allows that principal to be trusted for delegation within Active Directory. Attackers can abuse this right to compromise accounts and elevate privileges by impersonating other users or services. This technique can be used for lateral movement, persistence, and ultimately, domain dominance. Defenders should monitor for the assignment of this privilege, especially to accounts that should not have it. The targeted behavior is logged as event ID 4704 in Windows Security logs. This activity is critical to monitor as it represents a powerful tool for attackers to move laterally and maintain persistence within a compromised environment.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a compromised account with sufficient privileges to modify user rights.\u003c/li\u003e\n\u003cli\u003eThe attacker assigns the SeEnableDelegationPrivilege to a target account using tools like \u003ccode\u003entrights.exe\u003c/code\u003e or PowerShell cmdlets.\u003c/li\u003e\n\u003cli\u003eWindows Security Event 4704 is generated, logging the privilege assignment.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the target account\u0026rsquo;s attributes, such as \u003ccode\u003euserAccountControl\u003c/code\u003e or \u003ccode\u003emsDS-AllowedToDelegateTo\u003c/code\u003e, to enable delegation.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages Kerberos delegation to impersonate other users or services.\u003c/li\u003e\n\u003cli\u003eUsing the impersonated credentials, the attacker accesses sensitive resources or performs privileged actions.\u003c/li\u003e\n\u003cli\u003eThe attacker moves laterally within the network, compromising additional systems and accounts.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, such as data exfiltration or domain dominance.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to compromise Active Directory accounts and elevate privileges, potentially leading to full control over the domain. The impact includes unauthorized access to sensitive data, lateral movement to critical systems, and the potential for long-term persistence. Depending on the compromised accounts, the entire organization can be at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable \u0026ldquo;Audit Authorization Policy Change\u0026rdquo; to generate Windows Security Event ID 4704 (Setup instructions: \u003ca href=\"https://ela.st/audit-authorization-policy-change)\"\u003ehttps://ela.st/audit-authorization-policy-change)\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Sensitive Privilege SeEnableDelegationPrivilege assigned to a Principal\u0026rdquo; to your SIEM to detect the assignment of this privilege.\u003c/li\u003e\n\u003cli\u003eInvestigate any instances where SeEnableDelegationPrivilege is assigned, focusing on the targeted account and the source of the change.\u003c/li\u003e\n\u003cli\u003eMonitor for modifications to delegation-related attributes on user and computer objects.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T17:23:00Z","date_published":"2024-01-03T17:23:00Z","id":"/briefs/2024-01-se-enable-delegation/","summary":"Detection of the assignment of the SeEnableDelegationPrivilege user right to a principal can indicate potential Active Directory compromise and privilege elevation by attackers.","title":"SeEnableDelegationPrivilege Assignment Detection","url":"https://feed.craftedsignal.io/briefs/2024-01-se-enable-delegation/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["pentest","post-exploitation","lateral-movement","active-directory"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eNetExec, previously known as CrackMapExec, is a post-exploitation tool commonly used during Active Directory penetration testing. It is also favored by red teams and malicious actors for reconnaissance, lateral movement, and credential harvesting within Windows networks. This tool allows for the enumeration of hosts, exploitation of network services, and remote command execution. The use of NetExec in an enterprise environment is considered suspicious due to its capabilities for identifying vulnerable systems and facilitating unauthorized access. Defenders should monitor for its execution, as it is often a precursor to more serious attacks, including ransomware deployment, such as the Lynx ransomware.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system via an exploit or compromised credentials.\u003c/li\u003e\n\u003cli\u003eNetExec (nxc.exe) is deployed on the compromised host, often copied to a temporary directory.\u003c/li\u003e\n\u003cli\u003eNetExec is executed with commands to enumerate network shares and identify potential targets using SMB.\u003c/li\u003e\n\u003cli\u003eThe tool uses LDAP to query Active Directory for user accounts, groups, and organizational units.\u003c/li\u003e\n\u003cli\u003eNetExec attempts to authenticate to other systems using gathered or compromised credentials via protocols such as SMB, SSH, or RDP.\u003c/li\u003e\n\u003cli\u003eSuccessful authentication allows for remote command execution via WMI or WinRM.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages identified vulnerabilities or misconfigurations to escalate privileges on the target systems.\u003c/li\u003e\n\u003cli\u003eThe attacker moves laterally through the network, gaining access to sensitive data or deploying ransomware like Lynx.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful execution of NetExec can lead to widespread compromise within an Active Directory environment. Attackers can identify and exploit vulnerable systems, harvest credentials, and move laterally to gain access to critical assets. This can result in data theft, system disruption, and ransomware deployment, potentially affecting hundreds or thousands of systems depending on the size of the organization. The tool is often used as a precursor to ransomware attacks, where entire networks can be encrypted, leading to significant financial and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eHackTool - NetExec Execution\u003c/code\u003e to your SIEM to detect the execution of NetExec based on process creation logs.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for \u003ccode\u003enxc.exe\u003c/code\u003e with command-line arguments associated with network protocols like \u003ccode\u003eftp\u003c/code\u003e, \u003ccode\u003eldap\u003c/code\u003e, \u003ccode\u003emssql\u003c/code\u003e, \u003ccode\u003enfs\u003c/code\u003e, \u003ccode\u003erdp\u003c/code\u003e, \u003ccode\u003esmb\u003c/code\u003e, \u003ccode\u003essh\u003c/code\u003e, \u003ccode\u003evnc\u003c/code\u003e, \u003ccode\u003ewinrm\u003c/code\u003e, and \u003ccode\u003ewmi\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eImplement strict access controls and regularly audit Active Directory to minimize the potential for lateral movement.\u003c/li\u003e\n\u003cli\u003eConsider using application control solutions to prevent the execution of unauthorized tools like \u003ccode\u003enxc.exe\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T14:35:00Z","date_published":"2024-01-03T14:35:00Z","id":"/briefs/2024-01-netexec-execution/","summary":"The threat brief details the detection of NetExec (formerly CrackMapExec), a post-exploitation tool used for Active Directory penetration testing and network enumeration, often employed by threat actors for lateral movement and credential harvesting.","title":"Detection of NetExec Hacktool Execution","url":"https://feed.craftedsignal.io/briefs/2024-01-netexec-execution/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Elastic Defend"],"_cs_severities":["low"],"_cs_tags":["active-directory","discovery","reconnaissance","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","Crowdstrike","SentinelOne"],"content_html":"\u003cp\u003eADExplorer is an advanced Active Directory (AD) viewer and editor, it includes the ability to save snapshots of an AD database for offline viewing and comparisons. Adversaries may abuse this utility to perform domain reconnaissance, gather sensitive information about the AD structure, user accounts, and group memberships. The execution of ADExplorer is a potential indicator of malicious activity, especially when observed in environments where its use is not typical or when executed by unauthorized users. This activity can lead to further exploitation, such as privilege escalation and lateral movement within the network.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system through various means (e.g., compromised credentials, phishing).\u003c/li\u003e\n\u003cli\u003eThe attacker downloads the ADExplorer utility (ADExplorer.exe) to the compromised host.\u003c/li\u003e\n\u003cli\u003eThe attacker executes ADExplorer.exe to begin enumeration of the Active Directory environment.\u003c/li\u003e\n\u003cli\u003eADExplorer interacts with the Active Directory domain controllers, querying information about users, groups, computers, and organizational units.\u003c/li\u003e\n\u003cli\u003eThe attacker may use ADExplorer to save snapshots of the AD database for offline analysis.\u003c/li\u003e\n\u003cli\u003eThe attacker analyzes the gathered information to identify privileged accounts, critical assets, and potential vulnerabilities within the AD environment.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the discovered information to plan further attacks, such as lateral movement or privilege escalation.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful execution of ADExplorer by malicious actors can lead to the discovery of sensitive information about the Active Directory environment. This information can be leveraged to facilitate lateral movement, privilege escalation, and data exfiltration. While the initial risk score is low, the reconnaissance activity enables follow-on attacks that can have severe consequences, potentially leading to full domain compromise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImplement the Sigma rule \u003ccode\u003eDetect ADExplorer Execution via Process Name\u003c/code\u003e to detect the execution of ADExplorer based on process name.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule \u003ccode\u003eDetect ADExplorer Execution via Original File Name\u003c/code\u003e to detect the execution of ADExplorer based on the process\u0026rsquo;s original file name.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events on Windows endpoints for the execution of ADExplorer.exe or processes with an original file name of \u0026ldquo;AdExp\u0026rdquo; to detect potential reconnaissance activities.\u003c/li\u003e\n\u003cli\u003eInvestigate and validate any execution of ADExplorer by non-administrator accounts.\u003c/li\u003e\n\u003cli\u003eReview ADExplorer use and restrict its usage to authorized personnel.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-adexplorer-execution/","summary":"Detects the execution of ADExplorer, a tool used for Active Directory viewing and editing, which can be abused by adversaries for domain reconnaissance and creating offline snapshots of the AD database.","title":"Active Directory Discovery via ADExplorer Execution","url":"https://feed.craftedsignal.io/briefs/2024-01-adexplorer-execution/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Azure AD Connect"],"_cs_severities":["medium"],"_cs_tags":["credential-access","privilege-escalation","windows","active-directory"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThe DCSync attack is a technique that allows an attacker to use the Windows Domain Controller\u0026rsquo;s API to simulate the replication process from a remote domain controller. This enables the attacker to compromise critical credential material, such as Kerberos krbtgt keys, which can then be used for ticket creation and forgery. This attack requires specific privileges (DS-Replication-Get-Changes and DS-Replication-Get-Changes-All), typically granted to members of the Administrators, Domain Admins, Enterprise Admins, and Domain Controllers groups. This rule focuses on detecting the initiation of the Active Directory replication process by user accounts, which could indicate a DCSync attack. The rule specifically monitors for Event ID 4662, filtering out computer accounts and Azure AD Connect MSOL accounts to reduce false positives.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system with a privileged account (e.g., Domain Admin).\u003c/li\u003e\n\u003cli\u003eThe attacker uses the privileged account to grant an attacker-controlled object the right to DCsync/Replicate.\u003c/li\u003e\n\u003cli\u003eThe attacker initiates an Active Directory replication process using the granted rights.\u003c/li\u003e\n\u003cli\u003eWindows generates Event ID 4662 (Operation was performed on an Active Directory object) with Access Mask 0x100 (Control Access).\u003c/li\u003e\n\u003cli\u003eThe event properties include DS-Replication-Get-Changes or DS-Replication-Get-Changes-All or DS-Replication-Get-Changes-In-Filtered-Set.\u003c/li\u003e\n\u003cli\u003eThe attacker extracts sensitive information such as password hashes.\u003c/li\u003e\n\u003cli\u003eThe attacker forges Kerberos tickets using the compromised credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves domain dominance.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful DCSync attack can lead to the compromise of the entire Active Directory domain. Attackers can steal credential information, including the krbtgt key, allowing them to forge Kerberos tickets and gain unauthorized access to any resource within the domain. This can lead to data breaches, system outages, and significant financial and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable \u0026ldquo;Audit Directory Service Access\u0026rdquo; to generate the required event logs (Event ID 4662) for detection, as indicated in the \u003ca href=\"https://ela.st/audit-directory-service-access\"\u003esetup instructions\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule \u003ccode\u003eDetect Potential DCSync Activity\u003c/code\u003e to identify suspicious Active Directory replication events in your SIEM.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule by correlating security events 4662 and 4624 by Logon ID on the Domain Controller.\u003c/li\u003e\n\u003cli\u003eReview and restrict the privileges granted to accounts with DS-Replication-Get-Changes and DS-Replication-Get-Changes-All rights.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-02-dcsync-replication/","summary":"This rule identifies when a User Account starts the Active Directory Replication Process, potentially indicating a DCSync attack, which allows attackers to steal credential information compromising the entire domain.","title":"Potential Credential Access via DCSync","url":"https://feed.craftedsignal.io/briefs/2024-01-02-dcsync-replication/"},{"_cs_actors":["FIN6"],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend"],"_cs_severities":["low"],"_cs_tags":["adfind","active-directory","reconnaissance","windows"],"_cs_type":"threat","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eAdFind is a command-line tool used to retrieve information from Active Directory. While it has legitimate uses for network administrators, threat actors frequently leverage it for post-exploitation Active Directory reconnaissance. The tool allows for quick scoping of AD person/computer objects and understanding subnets and domain information. AdFind has been observed in campaigns associated with various threat actors, including Trickbot, Ryuk, Maze, and FIN6. This reconnaissance activity is typically conducted after initial compromise to gather information for lateral movement and privilege escalation. The detection of AdFind execution, especially with specific command-line arguments, can indicate malicious activity within a compromised environment.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Access: An attacker gains initial access to a Windows host, possibly through exploitation of a vulnerability or compromised credentials.\u003c/li\u003e\n\u003cli\u003eTool Transfer: The attacker transfers AdFind.exe to the compromised host.\u003c/li\u003e\n\u003cli\u003eExecution: The attacker executes AdFind.exe from the command line or via a script.\u003c/li\u003e\n\u003cli\u003eDiscovery: AdFind is used to enumerate Active Directory objects such as computers (\u003ccode\u003eobjectcategory=computer\u003c/code\u003e), users (\u003ccode\u003eobjectcategory=person\u003c/code\u003e), subnets (\u003ccode\u003eobjectcategory=subnet\u003c/code\u003e), and groups (\u003ccode\u003eobjectcategory=group\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eInformation Gathering: The attacker gathers information about domain controllers using commands such as \u003ccode\u003edclist\u003c/code\u003e or \u003ccode\u003edcmodes\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003ePrivilege Escalation: The gathered information is used to identify potential targets for privilege escalation, such as accounts with weak passwords or misconfigured permissions.\u003c/li\u003e\n\u003cli\u003eLateral Movement: The attacker uses the gathered information to move laterally to other systems within the network.\u003c/li\u003e\n\u003cli\u003eObjective Completion: The attacker achieves their final objective, such as data exfiltration or ransomware deployment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful reconnaissance using AdFind can provide attackers with a comprehensive understanding of the Active Directory environment, facilitating lateral movement, privilege escalation, and ultimately, the exfiltration of sensitive data or deployment of ransomware. While the use of AdFind itself may not be directly damaging, it is a strong indicator of malicious activity within a compromised network. The impact can range from data breaches and financial losses to reputational damage and disruption of business operations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;AdFind Command Activity\u0026rdquo; to your SIEM to detect the execution of AdFind with suspicious command-line arguments.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process-creation logging to provide the necessary data for the Sigma rule to function effectively (reference the Sysmon setup documentation).\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the \u0026ldquo;AdFind Command Activity\u0026rdquo; Sigma rule to determine the scope and impact of the potential compromise.\u003c/li\u003e\n\u003cli\u003eMonitor process execution events for AdFind-related activity, focusing on command-line arguments used to query Active Directory objects (reference the \u003ccode\u003equery\u003c/code\u003e field in the original rule).\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the scope of potential lateral movement following a successful compromise.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-adfind-reconnaissance/","summary":"The execution of AdFind.exe, an Active Directory query tool, is often used by threat actors for post-exploitation Active Directory reconnaissance, as observed in campaigns involving Trickbot, Ryuk, Maze, and FIN6.","title":"AdFind Tool Used for Active Directory Reconnaissance","url":"https://feed.craftedsignal.io/briefs/2024-01-adfind-reconnaissance/"}],"language":"en","title":"CraftedSignal Threat Feed — Active Directory","version":"https://jsonfeed.org/version/1.1"}