Try in Splunk Security Cloud

Description

Monitor for activities and techniques associated with Windows Active Directory persistence techniques.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Authentication, Change, Endpoint, Network_Traffic
  • Last Updated: 2022-08-29
  • Author: Dean Luxton, Mauricio Velazco, Splunk
  • ID: f676c4c1-c769-4ecb-9611-5fd85b497c56

Narrative

Persistence consists of techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access. Active Directory is a centralized and hierarchical database that stores information about users, computers, and other resources on a network. It provides secure and efficient management of these resources and enables administrators to enforce security policies and delegate administrative tasks.
In 2015 Active Directory security researcher Sean Metcalf published a blog post titled Sneaky Active Directory Persistence Tricks. In this blog post, Sean described several methods through which an attacker could persist administrative access on an Active Directory network after having Domain Admin level rights for a short period of time. At the time of writing, 8 years after the initial blog post, most of these techniques are still possible since they abuse legitimate administrative functionality and not software vulnerabilities. Security engineers defending Active Directory networks should be aware of these technique available to adversaries post exploitation and deploy both preventive and detective security controls for them.
This analytic story groups detection opportunities for most of the techniques described on Seans blog post as well as other high impact attacks against Active Directory networks and Domain Controllers like DCSync and DCShadow. For some of these detection opportunities, it is necessary to enable the necessary GPOs and SACLs required, otherwise the event codes will not trigger. Each detection includes a list of requirements for enabling logging.

Detections

Name Technique Type
Registry Keys Used For Persistence Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution TTP
Windows AD AdminSDHolder ACL Modified Event Triggered Execution TTP
Windows AD Cross Domain SID History Addition SID-History Injection, Access Token Manipulation TTP
Windows AD DSRM Account Changes Account Manipulation TTP
Windows AD DSRM Password Reset Account Manipulation TTP
Windows AD Domain Controller Audit Policy Disabled Disable or Modify Tools TTP
Windows AD Domain Controller Promotion Rogue Domain Controller TTP
Windows AD Domain Replication ACL Addition Domain Policy Modification TTP
Windows AD Privileged Account SID History Addition SID-History Injection, Access Token Manipulation TTP
Windows AD Replication Request Initiated by User Account DCSync, OS Credential Dumping TTP
Windows AD Replication Request Initiated from Unsanctioned Location DCSync, OS Credential Dumping TTP
Windows AD Replication Service Traffic OS Credential Dumping, DCSync, Rogue Domain Controller TTP
Windows AD Rogue Domain Controller Network Activity Rogue Domain Controller TTP
Windows AD SID History Attribute Modified Access Token Manipulation, SID-History Injection TTP
Windows AD Same Domain SID History Addition SID-History Injection, Access Token Manipulation TTP
Windows AD ServicePrincipalName Added To Domain Account Account Manipulation TTP
Windows AD Short Lived Domain Account ServicePrincipalName Account Manipulation TTP
Windows AD Short Lived Domain Controller SPN Attribute Rogue Domain Controller TTP
Windows AD Short Lived Server Object Rogue Domain Controller TTP
Windows Admon Default Group Policy Object Modified Domain Policy Modification, Group Policy Modification TTP
Windows Admon Group Policy Object Created Domain Policy Modification, Group Policy Modification TTP
Windows Default Group Policy Object Modified Domain Policy Modification, Group Policy Modification TTP
Windows Default Group Policy Object Modified with GPME Domain Policy Modification, Group Policy Modification TTP
Windows Group Policy Object Created Domain Policy Modification, Group Policy Modification, Domain Accounts TTP
Windows Security Support Provider Reg Query Security Support Provider, Boot or Logon Autostart Execution Anomaly

Reference

source | version: 1