18 WAYS TO DETECT MALCIOUS ACTIONS IN YOUR ACTIVE DIRECTORY LOGS USING SIEM

Active Directory is a major part of most businesses IT infrastructure. It manages permissions and access to networked resources on your domain, among a variety of other tasks.

Due to this, Active Directory is usually one of the first log types added to a SIEM. Here, I am going to discuss the most important things you need to be looking for in your active directory logs. Before going on, a few things to say.

FAILED LOGIN VARIATIONS (4625)

The most common logs you will get from your AD servers will be logins, whether they are successful or failed. Failed logins can be an indication of malicious activity – most commonly brute forcing. There is several different ways you can look at failed logins.

1. FAILED LOGINS FOR USER

  • Event ID = 4625
  • X number of failed logins in X minutes with the same username

Why did I not give you a number of logins or time? This is because it depends on your login policies and also your risk appetite. Does your company stop logins to a user account for 5 minutes after 3 failed logins in a 5 minutes? Then don’t set the number of failed logins to 4. You may also want to set lower numbers of failed logins on critical

2. PASSWORD SPRAYING

  • Event ID = 4625
  • Same Source
  • 2 or more usernames within X minutes

Password spraying is when an attacker tries the details for many accounts within a short period of time on the same source. You will need to play around with the threshold and also create exceptions for citrix servers, shared workstations and things like that.

3. ATTEMPTED DISABLED ACCOUNT USAGE

  • Event ID = 4625
  • Sub Status Code is 0xC0000072

The attempted use of disabled accounts may indicate malicious behaviour or more likely ex employees trying to login. Any attempts to login to disabled accounts should be investigated.

4. ATTEMPTED EXPIRED ACCOUNT USAGE

  • Event ID = 4625
  • Sub Status Code is 0xC0000193

Similar to previous, attackers or ex employees may try to access expired accounts.

MALICIOUS SUCCESSFUL LOGINS (4624)

There is also some successful logins we want to look at for nefarious activities.

1. NON ALLOWED ACCOUNTS

Within your business you may have accounts which you do not want used for logging on directly (either via keyboard or virtual session) Most commonly this will be service and computer accounts.

  • Event ID = 4624
  • Logon Type is 2 or 10 (See more about logon types here – http://techgenix.com/logon-types/
  • Username matches expression ^SVC.* or .*\$$ (This is looking for service or computer accounts)

2. LOGONS DIRECTLY TO DOMAIN COntroller

If attackers are able to directly login to your domain controllers then they truly have the keys to your kingdom. Monitor for this by looking for :

  • Event ID = 4624
  • Logon Type is 2 or 10
  • Logon target is a DC
  • NOT when user is a DC Admin

3. PASS THE HASH

Attackers use pass the hash to move laterally within networks. It allows them to steal and then login with other users NLTM or LanMan hashes, rather than using passwords.

  • Event ID = 4624
  • Logon Type is 3
  • Logon Process is NtLmSsp
  • SubjectUserSID is S-1-0-0
  • KeyLength is 0

OR (Other Pass the Hash variant, sometimes called OVERPASS the Hash)

  • Event ID = 4624
  • Logon Type is 9
  • Logon Process is seclogo

ACCOUNT CREATED AND DELETED IN SHORT PERIOD OF TIME

blank

To avoid detection and to hamper forensics; attackers sometimes create a user account, perform the malicious behaviour and then delete the account. We can look for this and investigate further

  • Event ID 4726 (User Account Deleted)
  • within 24 hours of
  • Event ID 4720 (User Account Created)
  • With the same username

MALICIOUS AD SYNCS

Threat actors during most attacks will try to enumerate user information from DC’s, there is a few different ways we can look for this.

1. MIMIKATZ DC SYNC

Luckily for us, when someone tries to use Mimikatz to SYNC DC it has typical behaviour.

  • Event ID = 4662 (An operation was performed on an object)
  • Properties = Replicating Directory Changes All* OR 1131f6ad-9c07-11d1-f79f-00c04fc2dcd2*
  • Not when account is NT Authority or matching expression .*\$$

2. AD REPLICATION FROM NON MACHINE ACCOUNT

  • Event ID = 4662
  • AccessMask is 0x100
  • Properties contains ‘1131f6aa-9c07-11d1-f79f-00c04fc2dcd2 OR ‘1131f6ad-9c07-11d1-f79f-00c04fc2dcd2’ OR ’89e95b76-444d-4c62-991a-0facbeda640c

3. AD SYNC VIA NEW SPN (SERVICE PRINCIPLE NAME)

  • Event ID = 4742 (A computer account was changed)
  • Service Principal Name matches expression *GC/*

4. DCSYNC BEING GRANTED TO STANDARD USER

  • Event ID = 5136 (A directory service object was modified)
  • LDAPDisplayName is ntSecurityDescriptor
  • Properties contains is 1131f6ad-9c07-11d1-f79f-00c04fc2dcd2 OR 1131f6aa-9c07-11d1-f79f-00c04fc2dcd2 OR 89e95b76-444d-4c62-991a-0facbeda640c

HIGH NUMBER OF ACCOUNT LOCKOUTS

blank

High numbers of accounts being locked out can indicate brute force attempts on a network.

  • Event ID = 4740
  • Same Source
  • 10 Events within 3 hours (May have to change thresholds to suit your business)

NEW / REMOVED / MODIFIED TRUSTED DOMAIN

Domain information being changed, modified or removed should be alerted on and checked.

  • Event ID = 4706 OR 4707 OR 4716

Any of these changes happening should be verified, as these sometimes trigger when malicious actors attempt to perform various behaviours.

DOMAIN OR KERBEROS POLICY CHANGED

Policy changes should be treated the same as above. Any changes should be alerted on and checked.

  • Event ID = 4713 or 4739
  • change is not – (this means no change)

DPAPI KEY MANIPULATION

blank

The DPAPI (Data Protection Application Programming Interface) Key is used to encrypt user details. Actors may attempt to attack the DPAPI on the Domain Controllers to gain further access. Any triggers of the below should be investigated urgently.

1. Extracting backup key

  • Event ID = 4662 (An operation was performed on an object)
  • Object Type = SecretObject
  • Access Mask is 0x2
  • Object Name is BCKUPKEY

2. Backup of backup key

  • Event ID = 4692 (Backup of data protection master key was attempted)
blank

There we go. 18 ways to detect malicious behaviour in your Active Directory logs using SIEM. One of my next articles is going to cover other Windows use cases so if you think I have missed something here, it is likely to be in there. Thanks for reading, if you have any further questions – contact me at https://blueteamblog.com/contact-me

Leave a Reply

Your email address will not be published. Required fields are marked *