Sneaky Active Directory Persistence Tricks

Try in Splunk Security Cloud

Description

Monitor for activities and techniques associated with Windows Active Directory persistence techniques.

• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
• Datamodel: Authentication, Change, Endpoint, Network_Traffic
• Last Updated: 2024-03-14
• Author: Dean Luxton, Mauricio Velazco, Splunk
• ID: f676c4c1-c769-4ecb-9611-5fd85b497c56

Narrative

Persistence consists of techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access. Active Directory is a centralized and hierarchical database that stores information about users, computers, and other resources on a network. It provides secure and efficient management of these resources and enables administrators to enforce security policies and delegate administrative tasks.
In 2015 Active Directory security researcher Sean Metcalf published a blog post titled Sneaky Active Directory Persistence Tricks. In this blog post, Sean described several methods through which an attacker could persist administrative access on an Active Directory network after having Domain Admin level rights for a short period of time. At the time of writing, 8 years after the initial blog post, most of these techniques are still possible since they abuse legitimate administrative functionality and not software vulnerabilities. Security engineers defending Active Directory networks should be aware of these technique available to adversaries post exploitation and deploy both preventive and detective security controls for them.
This analytic story groups detection opportunities for most of the techniques described on Seans blog post as well as other high impact attacks against Active Directory networks and Domain Controllers like DCSync and DCShadow. For some of these detection opportunities, it is necessary to enable the necessary GPOs and SACLs required, otherwise the event codes will not trigger. Each detection includes a list of requirements for enabling logging.

Detections

Name	Technique	Type
Registry Keys Used For Persistence	Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution	TTP
Windows AD AdminSDHolder ACL Modified	Event Triggered Execution	TTP
Windows AD Cross Domain SID History Addition	SID-History Injection, Access Token Manipulation	TTP
Windows AD DSRM Account Changes	Account Manipulation	TTP
Windows AD DSRM Password Reset	Account Manipulation	TTP
Windows AD Domain Controller Audit Policy Disabled	Disable or Modify Tools	TTP
Windows AD Domain Controller Promotion	Rogue Domain Controller	TTP
Windows AD Domain Replication ACL Addition	Domain Policy Modification	TTP
Windows AD Privileged Account SID History Addition	SID-History Injection, Access Token Manipulation	TTP
Windows AD Replication Request Initiated by User Account	DCSync, OS Credential Dumping	TTP
Windows AD Replication Request Initiated from Unsanctioned Location	DCSync, OS Credential Dumping	TTP
Windows AD Replication Service Traffic	OS Credential Dumping, DCSync, Rogue Domain Controller	TTP
Windows AD Rogue Domain Controller Network Activity	Rogue Domain Controller	TTP
Windows AD SID History Attribute Modified	Access Token Manipulation, SID-History Injection	TTP
Windows AD Same Domain SID History Addition	SID-History Injection, Access Token Manipulation	TTP
Windows AD ServicePrincipalName Added To Domain Account	Account Manipulation	TTP
Windows AD Short Lived Domain Account ServicePrincipalName	Account Manipulation	TTP
Windows AD Short Lived Domain Controller SPN Attribute	Rogue Domain Controller	TTP
Windows AD Short Lived Server Object	Rogue Domain Controller	TTP
Windows Admon Default Group Policy Object Modified	Domain Policy Modification, Group Policy Modification	TTP
Windows Admon Group Policy Object Created	Domain Policy Modification, Group Policy Modification	TTP
Windows Default Group Policy Object Modified	Domain Policy Modification, Group Policy Modification	TTP
Windows Default Group Policy Object Modified with GPME	Domain Policy Modification, Group Policy Modification	TTP
Windows Group Policy Object Created	Domain Policy Modification, Group Policy Modification, Domain Accounts	TTP
Windows Security Support Provider Reg Query	Security Support Provider, Boot or Logon Autostart Execution	Anomaly

Reference

• https://adsecurity.org/?p=1929
• https://www.youtube.com/watch?v=Lz6haohGAMc&feature=youtu.be
• https://adsecurity.org/wp-content/uploads/2015/09/DEFCON23-2015-Metcalf-RedvsBlue-ADAttackAndDefense-Final.pdf
• https://attack.mitre.org/tactics/TA0003/
• https://www.dcshadow.com
• https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2
• https://www.linkedin.com/pulse/mimikatz-dcsync-event-log-detections-john-dwyer

source | version: 2