Active Directory — CraftedSignal Threat Feed

Potential Active Directory Replication Account Backdoor

hello@craftedsignal.io — Mon, 04 May 2026 14:17:05 +0000

This detection rule identifies modifications to the nTSecurityDescriptor attribute within Active Directory (AD) objects that grant DCSync-related permissions to a user or computer account. This technique allows attackers to create a persistent backdoor, enabling them to re-obtain access to user and computer account hashes. The modification involves assigning specific GUIDs that represent replication rights (1131f6ad-9c07-11d1-f79f-00c04fc2dcd2, 1131f6aa-9c07-11d1-f79f-00c04fc2dcd2, 89e95b76-444d-4c62-991a-0facbeda640c) to an account’s security descriptor. This allows the attacker to then use DCSync to retrieve credentials from the domain, effectively bypassing normal authentication mechanisms.

Attack Chain

The attacker gains initial access to an account with sufficient privileges to modify Active Directory objects (e.g., Domain Admin).
The attacker uses AD management tools (PowerShell, ADSI Edit, etc.) to target a specific user or computer account.
The attacker modifies the nTSecurityDescriptor attribute of the targeted account.
The attacker grants replication rights to the targeted account by adding specific Access Control Entries (ACEs) containing the GUIDs 1131f6ad-9c07-11d1-f79f-00c04fc2dcd2, 1131f6aa-9c07-11d1-f79f-00c04fc2dcd2, and 89e95b76-444d-4c62-991a-0facbeda640c.
The attacker uses the DCSync technique, impersonating a domain controller, to request password hashes.
The Active Directory server, believing the request is legitimate due to the granted replication rights, provides the attacker with the requested credential information.
The attacker obtains password hashes for domain users and computers.
The attacker uses the obtained credentials for lateral movement, privilege escalation, or data exfiltration.

Impact

Successful exploitation allows attackers to compromise the entire Active Directory domain by gaining access to sensitive credential data. This could lead to complete control over the network, including access to critical systems, sensitive data, and the ability to disrupt business operations. The modification of security descriptors creates a persistent backdoor that can be used repeatedly to harvest credentials.

Recommendation

Enable Audit Directory Service Changes to generate the necessary event logs for detection (https://ela.st/audit-directory-service-changes).
Deploy the Sigma rule provided below to detect unauthorized modifications to the nTSecurityDescriptor attribute. Tune the rule to exclude legitimate administrative accounts or scripts that may perform authorized modifications.
Monitor Windows Security Event Logs (event code 5136) for changes to the nTSecurityDescriptor attribute and investigate any unexpected modifications, focusing on the presence of DCSync-related GUIDs.
Regularly review and audit Active Directory permissions, focusing on accounts with replication rights, to ensure they are legitimate and necessary.

CVE-2026-33826: Windows Active Directory Improper Input Validation Vulnerability

hello@craftedsignal.io — Wed, 15 Apr 2026 12:00:00 +0000

CVE-2026-33826 is a vulnerability affecting Windows Active Directory. It stems from improper input validation, potentially enabling an authenticated attacker positioned on an adjacent network to achieve remote code execution. The vulnerability’s impact is significant, as successful exploitation could allow attackers to gain control over critical domain infrastructure. The CVE was published on 2026-04-14. While the specific attack vector isn’t detailed in the initial vulnerability description, the adjacent network requirement suggests that the attacker must be on the same physical or logical network segment as the targeted Active Directory server. Exploitation requires an authenticated user, limiting the scope of potential attackers to those with existing domain credentials.

Attack Chain

Initial Access: An attacker gains valid credentials within the Active Directory domain through compromised accounts or other means.
Network Proximity: The attacker positions themselves on the same physical or logical network segment as the target Active Directory server.
Vulnerability Trigger: The attacker crafts a malicious request containing invalid input designed to exploit the input validation flaw in Active Directory. This request could target a specific Active Directory service or API.
Exploitation: Active Directory processes the malicious request, failing to properly validate the input, and executing attacker-controlled code within the context of the Active Directory service.
Privilege Escalation: The attacker leverages the initially gained code execution to escalate privileges within the Active Directory environment, potentially targeting domain administrator rights.
Lateral Movement: With elevated privileges, the attacker moves laterally across the network, compromising additional systems and services within the domain.
Persistence: The attacker establishes persistent access to the Active Directory environment, ensuring continued control even after system restarts or security mitigations.
Objective: The attacker achieves their final objective, such as data exfiltration, service disruption, or deployment of ransomware across the compromised network.

Impact

Successful exploitation of CVE-2026-33826 could lead to complete compromise of the Active Directory domain. This could result in widespread data breaches, service outages, and significant financial losses. The vulnerability affects any organization relying on Windows Active Directory for authentication and authorization, making it a high-impact threat. The number of potential victims is vast, spanning across various sectors including government, finance, healthcare, and technology.

Recommendation

Apply the security update provided by Microsoft for CVE-2026-33826 as soon as possible to remediate the underlying vulnerability (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33826).
Monitor Active Directory servers for suspicious network connections originating from adjacent networks that may indicate exploitation attempts.
Implement stricter input validation controls within Active Directory environments to prevent similar vulnerabilities in the future.
Monitor event logs on Active Directory servers for unexpected process creation or code execution events that may be related to this vulnerability.
Implement the provided Sigma rule to detect suspicious process creations related to potential exploitation attempts on Active Directory servers.

Potential Abuse of msDS-ManagedAccountPrecededByLink for Privilege Escalation

hello@craftedsignal.io — Mon, 30 Mar 2026 10:27:13 +0000

This threat brief focuses on the modification of the msDS-ManagedAccountPrecededByLink attribute within Active Directory via PowerShell scripts. This activity is flagged as potentially malicious because it could be indicative of an attempt to exploit the ‘BadSuccessor’ privilege escalation vulnerability in Windows Server 2025. The vulnerability, as outlined in Akamai’s research, allows attackers to manipulate managed service account (dMSA) links to gain elevated privileges. The detection is based on identifying specific PowerShell script patterns that include .Put("msDS-ManagedAccountPrecededByLink' and CN=, which are used to modify these critical AD attributes. Defenders should be aware that legitimate administrative tasks might also trigger this detection, so careful tuning and validation are necessary.

Attack Chain

Initial Access: An attacker gains initial access to a system with sufficient privileges to execute PowerShell scripts, possibly through compromised credentials or other initial access vectors (T1078.002).
Discovery: The attacker uses PowerShell to enumerate existing dMSAs and their associated msDS-ManagedAccountPrecededByLink attributes.
Attribute Modification: The attacker crafts a PowerShell script to modify the msDS-ManagedAccountPrecededByLink attribute of a target dMSA. This involves using the .Put("msDS-ManagedAccountPrecededByLink" command and specifying a new distinguished name (CN=) for the preceding account.
Persistence: The attacker leverages the modified dMSA link to establish a persistent foothold in the environment by gaining control over the targeted dMSA.
Privilege Escalation: By manipulating the dMSA links, the attacker effectively inherits the permissions and privileges associated with the compromised dMSA, thereby escalating their own privileges.
Defense Evasion: The attacker may attempt to evade detection by obfuscating the PowerShell script or using other techniques to hide their activity.
Lateral Movement: With elevated privileges, the attacker can move laterally within the network, accessing sensitive resources and systems.

Impact

Successful exploitation of the ‘BadSuccessor’ vulnerability through modification of the msDS-ManagedAccountPrecededByLink attribute can lead to complete domain compromise. An attacker can gain control over critical services and data, potentially resulting in data breaches, service disruptions, and significant financial losses. The impact is amplified in environments heavily reliant on Active Directory for authentication and authorization.

Recommendation

Deploy the provided Sigma rule to your SIEM and tune for your environment to detect potentially malicious modifications to dMSA link attributes via PowerShell (logsource: ps_script, product: windows).
Investigate any alerts triggered by the Sigma rule to determine if the activity is legitimate or indicative of an attempted exploitation of the ‘BadSuccessor’ vulnerability.
Implement strict access controls and monitoring for systems and accounts with the ability to modify Active Directory attributes.
Review and harden Active Directory security configurations to prevent unauthorized modification of sensitive attributes.

Active Directory Group Modification by SYSTEM Account

hello@craftedsignal.io — Sat, 02 Nov 2024 23:59:00 +0000

This detection identifies a user being added to an Active Directory (AD) group by the SYSTEM account (S-1-5-18). This behavior is significant because it can indicate an attacker who has successfully achieved SYSTEM level privileges on a domain controller. Attackers typically obtain SYSTEM privileges by exploiting vulnerabilities in the domain controller, or by abusing default group privileges such as those assigned to Server Operators. Once SYSTEM access is achieved, the attacker can then attempt to pivot to a domain account. This allows them to gain persistent access and control over the AD environment. Successful exploitation enables attackers to perform actions with the privileges of the compromised account, leading to potential data breaches, system compromise, and further lateral movement within the network.

Attack Chain

Initial Access: An attacker gains initial access to the network through various means, such as phishing or exploiting a public-facing application.
Privilege Escalation: The attacker exploits a vulnerability or misconfiguration on a system within the network to achieve local administrator or SYSTEM privileges.
Domain Controller Compromise: The attacker uses their elevated privileges to target a domain controller, exploiting vulnerabilities or weak configurations to gain SYSTEM access on the domain controller itself.
Group Modification: Once the attacker has SYSTEM privileges on a domain controller, they use this access to add a user account to a privileged Active Directory group. This is done by modifying the group membership using tools native to the operating system.
Persistence: By adding a user account to a privileged group, the attacker ensures they have persistent access to the domain, even if their initial access method is discovered and blocked.
Lateral Movement: With the newly acquired group membership, the attacker can now move laterally within the network, accessing resources and systems that were previously inaccessible.
Data Exfiltration / Impact: The attacker leverages their access to locate and exfiltrate sensitive data, or to disrupt critical business operations.

Impact

A successful attack can lead to a wide range of negative consequences, including data breaches, system compromise, and disruption of critical business operations. Attackers can use the compromised account to access sensitive data, modify system configurations, or even deploy ransomware. The scope of impact depends on the permissions and privileges associated with the compromised account and the targeted resources. Furthermore, the incident can damage the organization’s reputation and result in regulatory fines and legal liabilities.

Recommendation

Enable “Audit Security Group Management” to generate the necessary events for detection as detailed in the setup instructions.
Deploy the following Sigma rule to detect potential Active Directory group modifications by the SYSTEM account and tune for your environment.
Investigate any event with event code 4728 where the SubjectUserSid is “S-1-5-18” as described in the overview.
Review the investigation guide outlined in the rule description for triage and analysis steps.

Suspicious DNS-Named Record Creation in Active Directory Integrated DNS

hello@craftedsignal.io — Wed, 22 May 2024 12:00:00 +0000

Active Directory Integrated DNS (ADIDNS) is a core component of AD DS, storing DNS zones as AD objects. The default permission settings allow any authenticated user to create DNS-named records. This creates an opportunity for attackers to perform Dynamic Spoofing attacks by monitoring LLMNR/NBT-NS requests and creating DNS-named records to target systems or specific services like WPAD. This attack can enable credential access by redirecting traffic through attacker-controlled systems, leading to the capture of sensitive information. This activity is detectable by monitoring Windows event code 5137 related to DNS record creation and filtering out legitimate system accounts.

Attack Chain

The attacker gains initial access to a domain-joined system, possibly through compromised credentials or phishing.
The attacker passively monitors LLMNR/NBT-NS broadcast traffic to identify systems being requested on the network.
Upon observing a request for a target system (e.g., WPAD), the attacker creates a DNS-named record in ADIDNS that resolves the target system’s name to an attacker-controlled IP address. This leverages the default permissions in ADIDNS that allow authenticated users to create DNS records.
When a legitimate user attempts to access the target system, the DNS query resolves to the attacker’s IP address.
The user’s traffic is redirected to the attacker’s system.
The attacker intercepts the user’s credentials or other sensitive information.
The attacker may relay captured credentials to other systems on the network.
The attacker achieves credential access and lateral movement within the network.

Impact

Successful exploitation allows attackers to intercept network traffic, steal credentials, and potentially gain unauthorized access to sensitive systems and data within the Active Directory domain. While the severity is low, it can be a stepping stone to further, more damaging attacks.

Recommendation

Enable “Audit Directory Service Changes” to generate the necessary Windows Security Event Logs (event code 5137) for detection.
Deploy the Sigma rule Creation of a DNS-Named Record to detect suspicious DNS record creation events.
Implement stricter access controls on DNS record creation within Active Directory to limit permissions to only necessary and trusted accounts.

Potential ADIDNS Poisoning via Wildcard Record Creation

hello@craftedsignal.io — Fri, 03 May 2024 14:58:00 +0000

Active Directory Integrated DNS (ADIDNS) stores DNS zones as Active Directory objects, which, while providing access control and replication benefits, introduces security issues. A significant concern is the creation of wildcard records due to the default permission allowing any authenticated user to create DNS-named records. By exploiting this, attackers can establish wildcard records to redirect traffic for domain names lacking explicit DNS records, effectively positioning themselves as an adversary-in-the-middle. This manipulation of ADIDNS can lead to credential interception or relay attacks, similar to LLMNR/NBNS spoofing. This poses a high risk to organizations relying on ADIDNS for domain consistency and secure name resolution.

Attack Chain

Attacker authenticates to the domain.
Attacker leverages existing privileges to create a wildcard DNS record (A record) within an ADIDNS zone.
The wildcard record is created with a DN like DC=*,DC=example.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=example,DC=com, where DC=* signifies the wildcard. Event ID 5137 is generated.
The wildcard record points to a malicious server controlled by the attacker.
A client attempts to resolve a domain name that does not have an explicit DNS record.
Due to the wildcard record, the DNS query resolves to the attacker’s malicious server.
The client connects to the attacker’s server, potentially exposing credentials or other sensitive information.
The attacker intercepts or relays the client’s traffic, gaining unauthorized access or control.

Impact

Successful exploitation allows attackers to intercept network traffic, steal credentials, and potentially gain control over systems within the affected domain. The impact includes unauthorized access to sensitive data, lateral movement within the network, and potential compromise of critical domain services. This can affect any organization using Active Directory Integrated DNS, leading to widespread disruption and data breaches.

Recommendation

Enable “Audit Directory Service Changes” to generate the necessary Windows Security Event Logs (5137) for detecting ADIDNS wildcard record creation as described in the setup instructions.
Deploy the Sigma rule “Potential ADIDNS Poisoning via Wildcard Record Creation” to detect the creation of wildcard DNS records in ADIDNS based on Windows Event ID 5137.
Review and restrict ADIDNS permissions for DNS zones to limit wildcard-creation opportunities, focusing on authenticated-user create-child rights.
Investigate any alerts generated by the Sigma rule, focusing on winlog.event_data.ObjectDN, user.name, and the originating session as outlined in the rule’s note field.

Potential Enumeration via Active Directory Web Service

hello@craftedsignal.io — Wed, 31 Jan 2024 00:00:00 +0000

The Active Directory Web Service (ADWS) facilitates querying Active Directory (AD) over a network, providing a web-based interface for directory services. Adversaries may exploit ADWS to enumerate network resources and user accounts, gaining insights into the environment. This attack involves loading Active Directory related modules and establishing network connections to the ADWS dedicated TCP port 9389. The goal is to gather information about the domain, user accounts, and permissions, which can be used for lateral movement, privilege escalation, and data exfiltration. Detection focuses on identifying suspicious processes loading System.DirectoryServices*.dll or System.IdentityModel*.dll and then connecting to the ADWS port.

Attack Chain

An attacker gains initial access to a compromised host within the target network.
The attacker executes a reconnaissance tool or script (e.g., PowerShell) on the compromised host.
The reconnaissance tool loads Active Directory related modules such as System.DirectoryServices*.dll and System.IdentityModel*.dll.
The reconnaissance tool attempts to establish a network connection to the ADWS service on TCP port 9389, the dedicated port for ADWS.
The tool queries ADWS to retrieve information about domain users (T1087.002), groups (T1069.002), systems (T1018), and permissions.
The attacker analyzes the gathered information to identify privileged accounts and potential targets for lateral movement.
The attacker uses the discovered information to move laterally within the network.
The attacker escalates privileges, and exfiltrates sensitive data.

Impact

Successful exploitation allows attackers to gain detailed knowledge of the Active Directory environment. This information can be used to identify high-value targets, compromise privileged accounts, move laterally within the network, and ultimately achieve their objectives, which could include data theft, ransomware deployment, or disruption of services. The impact can range from data breaches to complete compromise of the Active Directory domain, depending on the attacker’s goals and the level of access they achieve.

Recommendation

Deploy the Sigma rule “Potential ADWS Enumeration via Suspicious Library Loading” to detect processes loading AD-related DLLs (e.g., System.DirectoryServices*.dll, System.IdentityModel*.dll).
Deploy the Sigma rule “Potential ADWS Enumeration via Network Connection” to monitor for network connections to destination port 9389 from unusual processes.
Review and whitelist legitimate administrative tools or scripts that load Active Directory-related modules and connect to the ADWS port as described in the “False positive analysis” section of the original rule documentation.
Implement network segmentation to limit access to the ADWS port (9389) to only trusted systems and users.

Kerberos Pre-authentication Disabled for User Account

hello@craftedsignal.io — Sun, 28 Jan 2024 12:00:00 +0000

This detection identifies instances where the Kerberos pre-authentication requirement is disabled for a user account within an Active Directory environment. Attackers with GenericWrite or GenericAll permissions over a target account can modify the UserAccountControl attribute to disable pre-authentication. This configuration weakens the account’s security posture, making it vulnerable to AS-REP roasting attacks, where attackers can request Kerberos tickets and crack the password offline. The activity is logged as Event ID 4738 in the Windows Security Event Logs, specifically when the NewUACList includes the USER_DONT_REQUIRE_PREAUTH flag. This poses a significant risk, especially if applied to privileged accounts, as it allows adversaries to potentially compromise credentials and escalate privileges within the domain. The detection is based on research and recommendations from Microsoft regarding Kerberos security best practices.

Attack Chain

Initial Access: An attacker gains unauthorized access to an account with sufficient privileges (e.g., Domain Admin, or an account with delegated permissions) to modify user account attributes in Active Directory.
Privilege Escalation: The attacker leverages their initial access to target a specific user account for which they intend to disable Kerberos pre-authentication.
Account Modification: The attacker modifies the UserAccountControl attribute of the target user account, specifically disabling the “Do not require pre-authentication” setting (setting the USER_DONT_REQUIRE_PREAUTH flag). This is often done using tools like Active Directory Users and Computers or PowerShell cmdlets.
Event Logging: The modification triggers a Windows Security Event Log event (Event ID 4738) on the Domain Controller, indicating that the user account attribute has been changed. The NewUACList field in the event data contains USER_DONT_REQUIRE_PREAUTH.
AS-REQ Request: The attacker crafts an AS-REQ (Authentication Service Request) to the Kerberos Key Distribution Center (KDC) for the targeted user account. Since pre-authentication is disabled, the KDC processes the request without requiring pre-authentication.
AS-REP Response: The KDC issues an AS-REP (Authentication Service Response) to the attacker, containing an encrypted Ticket Granting Ticket (TGT) for the targeted user account.
Offline Cracking: The attacker extracts the encrypted TGT from the AS-REP response and attempts to crack it offline using password cracking tools and techniques, such as hashcat or John the Ripper.
Credential Access: Upon successfully cracking the TGT, the attacker obtains the plaintext password for the targeted user account. This password can then be used for lateral movement, privilege escalation, and further malicious activities within the domain.

Impact

Compromising user accounts through AS-REP roasting can have significant consequences. Attackers can gain unauthorized access to sensitive resources, escalate privileges, and move laterally within the network. Successful AS-REP roasting leads to credential compromise, which could result in data breaches, system compromise, and disruption of services. Organizations failing to monitor and prevent Kerberos pre-authentication disabling are at an increased risk of credential theft and subsequent exploitation, potentially affecting all systems within the compromised domain.

Recommendation

Enable “Audit User Account Management” and ensure Windows Security Event Logs (specifically Event ID 4738) are being collected and forwarded to your SIEM for analysis as described in the setup instructions linked in the rule source.
Deploy the provided Sigma rule to detect Event ID 4738 events where the NewUACList contains USER_DONT_REQUIRE_PREAUTH within your environment to identify potential AS-REP roasting vulnerabilities.
Investigate any instances of disabled pre-authentication, especially on privileged accounts, following the triage steps outlined in the rule documentation.
Enforce the principle of least privilege by reviewing and restricting the privileges assigned to users and groups to prevent unauthorized modification of Active Directory user account attributes.
Monitor for suspicious Kerberos authentication patterns and investigate any anomalies that might indicate AS-REP roasting attempts.

Active Directory msPKIAccountCredentials Modification

hello@craftedsignal.io — Fri, 26 Jan 2024 18:25:00 +0000

The msPKIAccountCredentials attribute in Active Directory stores encrypted credential data, including private keys and certificates. An attacker can modify this attribute to escalate privileges by overwriting an arbitrary file. This is achieved by modifying the msPKIAccountCredentials attribute of a user object with malicious credential objects. Successful exploitation allows the attacker to gain elevated privileges within the domain. The attack leverages the Windows credential roaming feature to inject these malicious credentials. This activity is detected via event code 5136 in the Windows Security Event Logs.

Attack Chain

An attacker gains initial access to a domain-joined system, possibly through compromised credentials or phishing.
The attacker identifies a target Active Directory user account to manipulate.
The attacker crafts a malicious payload containing an encrypted credential object.
The attacker uses a tool or script (e.g., PowerShell, adsiedit.msc) to modify the target user’s msPKIAccountCredentials attribute in Active Directory.
The attacker triggers credential roaming, causing the modified attribute to be propagated to other domain-joined systems where the target user logs in.
When the target user logs in, the malicious credential object is processed, potentially overwriting a critical system file.
The attacker leverages the overwritten file to execute arbitrary code with elevated privileges.
The attacker achieves privilege escalation and gains further access to the network.

Impact

Successful modification of the msPKIAccountCredentials attribute can lead to complete domain compromise. Attackers can gain control over critical systems and data within the Active Directory environment. While the exact number of potential victims is unknown, any organization utilizing Active Directory is potentially vulnerable. This attack allows for lateral movement, data exfiltration, and potentially the deployment of ransomware.

Recommendation

Enable “Audit Directory Service Changes” to generate the necessary event logs (https://ela.st/audit-directory-service-changes).
Deploy the Sigma rule Modification of msPKIAccountCredentials in Active Directory to detect suspicious modifications of the attribute.
Review and harden Active Directory access controls, limiting which accounts can modify the msPKIAccountCredentials attribute.
Monitor event code 5136 in the Windows Security Event Logs for modifications to the msPKIAccountCredentials attribute.
Create exceptions in your SIEM for authorized administrative accounts that legitimately modify this attribute to reduce false positives as described in the “False positive analysis” section above.

First Time Seen Account Performing DCSync

hello@craftedsignal.io — Thu, 25 Jan 2024 12:00:00 +0000

The DCSync attack is a technique used to retrieve credential information from Active Directory, potentially leading to complete domain compromise. This attack involves initiating the Active Directory replication process, which is normally reserved for domain controllers. This detection identifies user accounts initiating this process for the first time, which can be an indicator of malicious activity. This activity is detected via Windows Security Event Logs and focuses on the identification of the initial use of replication protocols. Attackers exploit this to steal credentials or sensitive data stored within the Active Directory. This technique can be used to escalate privileges and move laterally within the network, eventually leading to data exfiltration or other malicious objectives.

Attack Chain

An attacker gains initial access to a system within the target network.
The attacker escalates privileges to obtain the necessary rights to perform DCSync. This may involve exploiting vulnerabilities or using stolen credentials.
The attacker uses a tool like Mimikatz or custom scripts to initiate the Active Directory replication process.
The tool requests replication of directory data, specifically targeting credential information. This involves using the DS-Replication-Get-Changes or similar replication-right GUIDs.
The Active Directory server responds by providing the requested data, which includes password hashes and other sensitive information.
The attacker extracts the credential information from the replicated data.
The attacker uses the extracted credentials to move laterally within the network and access other systems or data.
The attacker achieves their final objective, such as data exfiltration, ransomware deployment, or long-term persistence.

Impact

A successful DCSync attack can lead to the compromise of the entire Active Directory domain. This can result in widespread data breaches, loss of sensitive information, and significant disruption to business operations. Attackers can gain access to critical systems and data, potentially leading to financial losses, reputational damage, and legal liabilities. The number of potential victims is dependent on the size of the compromised Active Directory environment.

Recommendation

Enable “Audit Directory Service Access” to generate the necessary Windows Security Event Logs (event code 4662) as described in the setup instructions.
Deploy the Sigma rule “Detect First Time DCSync Activity” to your SIEM and tune for your environment to identify suspicious DCSync behavior.
Investigate any alerts generated by the Sigma rule, focusing on the SubjectUserSid, SubjectUserName, Properties, AccessMask, and computer_name fields in the Windows Security Event Logs.
Monitor for changes to Active Directory object permissions (5136 events) that could grant unauthorized users DCSync capabilities as outlined in the triage and analysis steps.

SeEnableDelegationPrivilege Assignment Detection

hello@craftedsignal.io — Wed, 03 Jan 2024 17:23:00 +0000

The SeEnableDelegationPrivilege user right, when assigned to a security principal, allows that principal to be trusted for delegation within Active Directory. Attackers can abuse this right to compromise accounts and elevate privileges by impersonating other users or services. This technique can be used for lateral movement, persistence, and ultimately, domain dominance. Defenders should monitor for the assignment of this privilege, especially to accounts that should not have it. The targeted behavior is logged as event ID 4704 in Windows Security logs. This activity is critical to monitor as it represents a powerful tool for attackers to move laterally and maintain persistence within a compromised environment.

Attack Chain

An attacker gains initial access to a compromised account with sufficient privileges to modify user rights.
The attacker assigns the SeEnableDelegationPrivilege to a target account using tools like ntrights.exe or PowerShell cmdlets.
Windows Security Event 4704 is generated, logging the privilege assignment.
The attacker modifies the target account’s attributes, such as userAccountControl or msDS-AllowedToDelegateTo, to enable delegation.
The attacker leverages Kerberos delegation to impersonate other users or services.
Using the impersonated credentials, the attacker accesses sensitive resources or performs privileged actions.
The attacker moves laterally within the network, compromising additional systems and accounts.
The attacker achieves their final objective, such as data exfiltration or domain dominance.

Impact

Successful exploitation allows attackers to compromise Active Directory accounts and elevate privileges, potentially leading to full control over the domain. The impact includes unauthorized access to sensitive data, lateral movement to critical systems, and the potential for long-term persistence. Depending on the compromised accounts, the entire organization can be at risk.

Recommendation

Enable “Audit Authorization Policy Change” to generate Windows Security Event ID 4704 (Setup instructions: https://ela.st/audit-authorization-policy-change).
Deploy the Sigma rule “Sensitive Privilege SeEnableDelegationPrivilege assigned to a Principal” to your SIEM to detect the assignment of this privilege.
Investigate any instances where SeEnableDelegationPrivilege is assigned, focusing on the targeted account and the source of the change.
Monitor for modifications to delegation-related attributes on user and computer objects.

Detection of NetExec Hacktool Execution

hello@craftedsignal.io — Wed, 03 Jan 2024 14:35:00 +0000

NetExec, previously known as CrackMapExec, is a post-exploitation tool commonly used during Active Directory penetration testing. It is also favored by red teams and malicious actors for reconnaissance, lateral movement, and credential harvesting within Windows networks. This tool allows for the enumeration of hosts, exploitation of network services, and remote command execution. The use of NetExec in an enterprise environment is considered suspicious due to its capabilities for identifying vulnerable systems and facilitating unauthorized access. Defenders should monitor for its execution, as it is often a precursor to more serious attacks, including ransomware deployment, such as the Lynx ransomware.

Attack Chain

An attacker gains initial access to a Windows system via an exploit or compromised credentials.
NetExec (nxc.exe) is deployed on the compromised host, often copied to a temporary directory.
NetExec is executed with commands to enumerate network shares and identify potential targets using SMB.
The tool uses LDAP to query Active Directory for user accounts, groups, and organizational units.
NetExec attempts to authenticate to other systems using gathered or compromised credentials via protocols such as SMB, SSH, or RDP.
Successful authentication allows for remote command execution via WMI or WinRM.
The attacker leverages identified vulnerabilities or misconfigurations to escalate privileges on the target systems.
The attacker moves laterally through the network, gaining access to sensitive data or deploying ransomware like Lynx.

Impact

Successful execution of NetExec can lead to widespread compromise within an Active Directory environment. Attackers can identify and exploit vulnerable systems, harvest credentials, and move laterally to gain access to critical assets. This can result in data theft, system disruption, and ransomware deployment, potentially affecting hundreds or thousands of systems depending on the size of the organization. The tool is often used as a precursor to ransomware attacks, where entire networks can be encrypted, leading to significant financial and reputational damage.

Recommendation

Deploy the Sigma rule HackTool - NetExec Execution to your SIEM to detect the execution of NetExec based on process creation logs.
Monitor process creation events for nxc.exe with command-line arguments associated with network protocols like ftp, ldap, mssql, nfs, rdp, smb, ssh, vnc, winrm, and wmi.
Implement strict access controls and regularly audit Active Directory to minimize the potential for lateral movement.
Consider using application control solutions to prevent the execution of unauthorized tools like nxc.exe.

Active Directory Discovery via ADExplorer Execution

hello@craftedsignal.io — Wed, 03 Jan 2024 12:00:00 +0000

ADExplorer is an advanced Active Directory (AD) viewer and editor, it includes the ability to save snapshots of an AD database for offline viewing and comparisons. Adversaries may abuse this utility to perform domain reconnaissance, gather sensitive information about the AD structure, user accounts, and group memberships. The execution of ADExplorer is a potential indicator of malicious activity, especially when observed in environments where its use is not typical or when executed by unauthorized users. This activity can lead to further exploitation, such as privilege escalation and lateral movement within the network.

Attack Chain

An attacker gains initial access to a Windows system through various means (e.g., compromised credentials, phishing).
The attacker downloads the ADExplorer utility (ADExplorer.exe) to the compromised host.
The attacker executes ADExplorer.exe to begin enumeration of the Active Directory environment.
ADExplorer interacts with the Active Directory domain controllers, querying information about users, groups, computers, and organizational units.
The attacker may use ADExplorer to save snapshots of the AD database for offline analysis.
The attacker analyzes the gathered information to identify privileged accounts, critical assets, and potential vulnerabilities within the AD environment.
The attacker uses the discovered information to plan further attacks, such as lateral movement or privilege escalation.

Impact

Successful execution of ADExplorer by malicious actors can lead to the discovery of sensitive information about the Active Directory environment. This information can be leveraged to facilitate lateral movement, privilege escalation, and data exfiltration. While the initial risk score is low, the reconnaissance activity enables follow-on attacks that can have severe consequences, potentially leading to full domain compromise.

Recommendation

Implement the Sigma rule Detect ADExplorer Execution via Process Name to detect the execution of ADExplorer based on process name.
Implement the Sigma rule Detect ADExplorer Execution via Original File Name to detect the execution of ADExplorer based on the process’s original file name.
Monitor process creation events on Windows endpoints for the execution of ADExplorer.exe or processes with an original file name of “AdExp” to detect potential reconnaissance activities.
Investigate and validate any execution of ADExplorer by non-administrator accounts.
Review ADExplorer use and restrict its usage to authorized personnel.

Potential Credential Access via DCSync

hello@craftedsignal.io — Tue, 02 Jan 2024 12:00:00 +0000

The DCSync attack is a technique that allows an attacker to use the Windows Domain Controller’s API to simulate the replication process from a remote domain controller. This enables the attacker to compromise critical credential material, such as Kerberos krbtgt keys, which can then be used for ticket creation and forgery. This attack requires specific privileges (DS-Replication-Get-Changes and DS-Replication-Get-Changes-All), typically granted to members of the Administrators, Domain Admins, Enterprise Admins, and Domain Controllers groups. This rule focuses on detecting the initiation of the Active Directory replication process by user accounts, which could indicate a DCSync attack. The rule specifically monitors for Event ID 4662, filtering out computer accounts and Azure AD Connect MSOL accounts to reduce false positives.

Attack Chain

An attacker gains initial access to a system with a privileged account (e.g., Domain Admin).
The attacker uses the privileged account to grant an attacker-controlled object the right to DCsync/Replicate.
The attacker initiates an Active Directory replication process using the granted rights.
Windows generates Event ID 4662 (Operation was performed on an Active Directory object) with Access Mask 0x100 (Control Access).
The event properties include DS-Replication-Get-Changes or DS-Replication-Get-Changes-All or DS-Replication-Get-Changes-In-Filtered-Set.
The attacker extracts sensitive information such as password hashes.
The attacker forges Kerberos tickets using the compromised credentials.
The attacker achieves domain dominance.

Impact

A successful DCSync attack can lead to the compromise of the entire Active Directory domain. Attackers can steal credential information, including the krbtgt key, allowing them to forge Kerberos tickets and gain unauthorized access to any resource within the domain. This can lead to data breaches, system outages, and significant financial and reputational damage.

Recommendation

Enable “Audit Directory Service Access” to generate the required event logs (Event ID 4662) for detection, as indicated in the setup instructions.
Deploy the provided Sigma rule Detect Potential DCSync Activity to identify suspicious Active Directory replication events in your SIEM.
Investigate any alerts generated by the Sigma rule by correlating security events 4662 and 4624 by Logon ID on the Domain Controller.
Review and restrict the privileges granted to accounts with DS-Replication-Get-Changes and DS-Replication-Get-Changes-All rights.

AdFind Tool Used for Active Directory Reconnaissance

hello@craftedsignal.io — Tue, 02 Jan 2024 12:00:00 +0000

AdFind is a command-line tool used to retrieve information from Active Directory. While it has legitimate uses for network administrators, threat actors frequently leverage it for post-exploitation Active Directory reconnaissance. The tool allows for quick scoping of AD person/computer objects and understanding subnets and domain information. AdFind has been observed in campaigns associated with various threat actors, including Trickbot, Ryuk, Maze, and FIN6. This reconnaissance activity is typically conducted after initial compromise to gather information for lateral movement and privilege escalation. The detection of AdFind execution, especially with specific command-line arguments, can indicate malicious activity within a compromised environment.

Attack Chain

Initial Access: An attacker gains initial access to a Windows host, possibly through exploitation of a vulnerability or compromised credentials.
Tool Transfer: The attacker transfers AdFind.exe to the compromised host.
Execution: The attacker executes AdFind.exe from the command line or via a script.
Discovery: AdFind is used to enumerate Active Directory objects such as computers (objectcategory=computer), users (objectcategory=person), subnets (objectcategory=subnet), and groups (objectcategory=group).
Information Gathering: The attacker gathers information about domain controllers using commands such as dclist or dcmodes.
Privilege Escalation: The gathered information is used to identify potential targets for privilege escalation, such as accounts with weak passwords or misconfigured permissions.
Lateral Movement: The attacker uses the gathered information to move laterally to other systems within the network.
Objective Completion: The attacker achieves their final objective, such as data exfiltration or ransomware deployment.

Impact

Successful reconnaissance using AdFind can provide attackers with a comprehensive understanding of the Active Directory environment, facilitating lateral movement, privilege escalation, and ultimately, the exfiltration of sensitive data or deployment of ransomware. While the use of AdFind itself may not be directly damaging, it is a strong indicator of malicious activity within a compromised network. The impact can range from data breaches and financial losses to reputational damage and disruption of business operations.

Recommendation

Deploy the Sigma rule “AdFind Command Activity” to your SIEM to detect the execution of AdFind with suspicious command-line arguments.
Enable Sysmon process-creation logging to provide the necessary data for the Sigma rule to function effectively (reference the Sysmon setup documentation).
Investigate any alerts generated by the “AdFind Command Activity” Sigma rule to determine the scope and impact of the potential compromise.
Monitor process execution events for AdFind-related activity, focusing on command-line arguments used to query Active Directory objects (reference the query field in the original rule).
Implement network segmentation to limit the scope of potential lateral movement following a successful compromise.