Tryhackme

Advent of Cyber 2024 — Day 15 Active Directory

The SOC team at Wareville identified an unusual activity on their Active Directory (AD) Domain Controller during a routine security check. A breach seemed imminent, and the task was to investigate and mitigate the attack.

Active Directory Overview

Active Directory is a directory service used to manage network resources efficiently, leveraging the following components:

• Domains: Logical groupings of network resources subject to shared security policies.
• Organizational Units (OUs): Containers grouping objects based on departments or functions.
• Forest: The highest-level container encompassing domains sharing the same schema and global catalog.
• Trust Relationships: Enable cross-domain resource access.

Key features of AD:

• Domain Controllers (DCs): Servers hosting the AD database and managing authentication.
• Global Catalog: Enables the search for objects across domains.
• LDAP: Protocol for directory access and modifications.
• Kerberos: Default secure authentication protocol.

Common Active Directory Attacks

1. Golden Ticket Attack: Exploits the Kerberos protocol using the krbtgt password hash to impersonate accounts.
2. Pass-the-Hash: Uses stolen password hashes for authentication.
3. Kerberoasting: Cracks service account passwords offline using Service Principal Name (SPN) hashes.
4. Pass-the-Ticket: Steals and reuses Kerberos tickets for authentication.
5. Malicious GPOs: Abuse Group Policy for persistence or malware distribution.
6. Skeleton Key Attack: Installs a backdoor allowing login with a master password.

nvestigative Procedures

1. Reviewing Group Policy Objects (GPOs)

Using PowerShell:

• List GPOs: Get-GPO -All
• Export a GPO for analysis:

Get-GPOReport -Name "SetWallpaper" -ReportType HTML -Path ".\SetWallpaper.html"

Identify recently modified GPOs:

Get-GPO -All | Where-Object { $_.ModificationTime } | Select-Object DisplayName, ModificationTime

2. Event Viewer Analysis

Analyzing security logs using notable Event IDs:

• 4624: Successful login.
• 4625: Failed login attempt.
• 4672: Assignment of special privileges.
• 4768: Kerberos TGT request.

3. User Auditing

• Locked Accounts:

Search-ADAccount -LockedOut | Select-Object Name, SamAccountName, LockedOut, LastLogonDate, DistinguishedName

List Users and Groups:

Get-ADUser -Filter * -Properties MemberOf | Select-Object Name, SamAccountName, @{Name="Groups";Expression={$_.MemberOf}}

4. Reviewing PowerShell History and Logs

• History File: Located at %APPDATA%\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt.
• PowerShell Logs: Found in Event Viewer under:
• Application and Services Logs -> Microsoft -> Windows -> PowerShell -> Operational.

Tasks

1. Security Log Analysis

• Last Login of Glitch_Malware: 07/11/2024.
• Event ID for Login: 4624.

2. PowerShell Command History

• Command Used to Enumerate AD Users:

Get-ADUser -Filter * -Properties MemberOf | Select-Object Name

3. PowerShell Logs

• Password Set by Glitch_Malware: SuperSecretP@ssw0rd!.

4. Malicious GPO

• Name of Installed GPO: Malicious GPO - Glitch_Malware Persistence.

Key Learnings

1. Regular auditing of GPOs and Event Logs is essential to identify unusual activities.
2. Strong password policies and secure configurations mitigate common AD attacks.
3. PowerShell history and logs are critical for identifying malicious commands and activity.
4. Implementing security features like MFA and monitoring Kerberos tickets can reduce attack risks.