https://feed.craftedsignal.io/tags/active_directory/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioWed, 03 Jan 2024 12:00:00 +0000https://feed.craftedsignal.io/briefs/2024-01-ad-privileged-group-addition/Wed, 03 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-ad-privileged-group-addition/Adversaries may add a user to a privileged group in Active Directory, such as Domain Admins, to maintain persistent access and elevate privileges within the domain.Attackers often target Active Directory (AD) to gain control over a network. Adding a user account to a highly privileged group, such as Domain Admins or Enterprise Admins, is a common tactic for establishing persistence and escalating privileges. By compromising an account with the ability to manage group memberships or exploiting vulnerabilities, an attacker can add their own rogue account to a privileged group, granting them extensive control over the AD domain. This activity might go unnoticed amidst legitimate administrative actions, making it a stealthy method of maintaining unauthorized access. This is a common technique employed after initial compromise to ensure long-term access to critical systems and data. Detecting such additions requires careful monitoring of AD security logs for specific events related to group membership changes.

Attack Chain

1. Initial compromise of a low-privileged user account through phishing or credential theft.
2. Lateral movement to a system with access to Active Directory management tools.
3. Privilege escalation to an account with permissions to modify group memberships (e.g., leveraging exploits or credential dumping).
4. Use of AD management tools (e.g., Active Directory Users and Computers, PowerShell with AD module) to add the attacker-controlled user account to a privileged group, such as Domain Admins (RID 512).
5. The attacker logs in with the newly privileged account.
6. The attacker uses their elevated privileges to access sensitive data, install backdoors, or perform other malicious activities.
7. The attacker may attempt to remove the initially compromised account to remove traces of their activities.

Impact

Successful addition of an attacker-controlled user to a privileged AD group grants them near-total control over the domain. This can lead to widespread data breaches, ransomware deployment across the entire network, compromise of sensitive systems, and long-term disruption of business operations. The impact can extend to all domain-joined systems and resources, potentially affecting thousands of users and devices. Remediation often requires a complete rebuild of the Active Directory environment, resulting in significant downtime and financial losses.

Recommendation

• Enable “Audit Security Group Management” in Active Directory to generate the necessary security events for detecting group membership changes.
• Deploy the Sigma rule “User Added to Privileged Group in Active Directory” to your SIEM to detect suspicious additions to privileged groups, tuning the rule for known administrative accounts.
• Monitor for unexpected use of AD management tools, such as Active Directory Users and Computers or PowerShell with the AD module, especially from unusual source hosts.
• Investigate any alerts generated by the Sigma rule by verifying the legitimacy of the user adding members to the group and validating the need for the new member to have those privileges.
• Regularly review the membership of privileged groups and remove any unauthorized or unnecessary accounts.

]]>mediumadvisorypersistenceprivilege_escalationactive_directoryhttps://feed.craftedsignal.io/briefs/2024-01-suspicious-ldap-attributes/Tue, 02 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-suspicious-ldap-attributes/The rule detects suspicious access to LDAP attributes in Active Directory by identifying read access to a high number of Active Directory object attributes, which can help adversaries find vulnerabilities, elevate privileges, or collect sensitive information.This rule identifies read access to a high number of Active Directory object attributes, which can help adversaries find vulnerabilities, elevate privileges, or collect sensitive information. The rule focuses on event code 4662, filtering for ‘Read Property’ access where the number of properties accessed is greater than or equal to 2000. The rule is designed to detect potential reconnaissance activities within an Active Directory environment, providing security teams with insights into unusual access patterns that may indicate malicious intent. This detection logic helps security teams proactively identify and respond to potential threats targeting Active Directory environments.

Attack Chain

1. The attacker gains initial access to a system within the target network, possibly through compromised credentials or a phishing attack (not directly covered in the provided source).
2. The attacker uses the compromised account to query Active Directory via LDAP.
3. The attacker issues a series of LDAP queries, requesting a large number of attributes for various Active Directory objects, triggering event ID 4662.
4. The event logs record the excessive number of read property accesses (winlog.event_data.Properties), exceeding the threshold of 2000.
5. The attacker analyzes the gathered information to identify potential targets, such as privileged accounts, sensitive data stores, or vulnerable systems.
6. The attacker attempts to elevate privileges by exploiting identified vulnerabilities or misconfigurations within Active Directory.
7. The attacker uses the elevated privileges to access sensitive information or move laterally within the network.
8. The attacker achieves their objective, such as data exfiltration or system compromise.

Impact

Successful exploitation allows attackers to gather sensitive information about the Active Directory environment, identify potential vulnerabilities, elevate privileges, and move laterally within the network. This can lead to data breaches, system compromise, and significant disruption to business operations. The number of victims and sectors targeted are dependent on the scope and objectives of the attacker.

Recommendation

• Enable Audit Directory Service Access to generate the necessary events (event code 4662) as mentioned in the setup instructions.
• Deploy the Sigma rule “Suspicious Access to LDAP Attributes” to your SIEM and tune the threshold (length(winlog.event_data.Properties) >= 2000) for your environment.
• Review event logs for event code 4662, focusing on the winlog.event_data.Properties field, to understand which attributes were accessed.
• Investigate the source machine from which the LDAP queries originated by examining the winlog.event_data.SubjectUserSid field.

]]>lowadvisoryactive_directoryldapdiscoverywindows