Automatically generated based on tag:
Title | Type | Summary | Location |
---|---|---|---|
Active Directory Domain Services (Domain Controllers) replication metadata | Page | The Active Directory replication metadata hold information about change made on an Active Directory object. The replication metadata is used by the Domain Controllers to replicate modifications and, as so, only attributes that are replicated will be logged in the replication metadata. Every object within Active Directory stores replication metadata, in their "msDS-ReplAttributeMetaData" (for regular attributes) and "msDS-ReplValueMetaData" (for linked attributes) attributes. |
Replicated attributes of interest: - adminCount - lastLogonTimestamp - member - msDS-AllowedToDelegateTo - nTSecurityDescriptor - primaryGroupID - scriptPath - servicePrincipalName - sIDHistory - userPrincipalName |
ETW - Active Directory Domain Services (Domain Controllers) ntds.dit dumping | Page | Secrets stored in the Active Directory database (ntds.dit) can be retrieved a number of ways: - By leveraging the DRSUAPI replication functions, normally used by Domain Controllers to replicate objects (replicated) properties. This attack can be conducted over the network (with out executing code on a Domain Controller) and is known as "DCSync". - By executing code / commands on a Domain Controller and exfiltrating the ntds.dit database directly. While the ntds.dit database can be accessed and copied using various tools and techniques, the "ntdsutil" built-in administration utility is often leverage by threat actors to do so. |
DCSync (DRSUAPI): Channel: Security. Event: 4662 (Property "1131f6aa-9c07-11d1-f79f-00c04fc2dcd" or "1131f6ad-9c07-11d1-f79f-00c04fc2dcd2"). NTDS export using ntdsutil: Channel: ESENT (Application.evtx). Events: 206, 325, 326, 327 |
ETW - Authentication - Active Directory Domain Services (Domain Controllers) | Page | For authentication attempts from a source host to an Active Directory domain-joined destination host (which is not a Domain Controller). Main events: Event ID 4624: "An account was successfully logged on", with LogonType 3 (only for a remote interactive logon on a domain-joined destination host). Event ID 4776 "The domain controller attempted to validate the credentials for an account", for NTLM authentication. Event 4768: "A Kerberos authentication ticket (TGT) was requested" and 4769: "A Kerberos service ticket was requested", for Kerberos tickets request and usage. Event 4771: "Kerberos pre-authentication failed", for authentication failures over Kerberos. |
Channel: Security. Events: 4776, 4768, 4769, 4771, 4624, 4625. |
User Access Logging / SUM | Page | Introduced in Windows Server 2012 and enabled by default, User Access Logging (UAL) is a feature that consolidates data on user access to Windows Server roles (such as "Active Directory Domain Services" on Domain Controllers). UAL store data for the 2 years. Information of interest: - Accessed Windows Server role (such as ADDS, CIFS, ADCS, etc.) - The client domain and username. The client IPv4 or IPv6 address. - First, last, and daily access timestamps. - Total number of access. As machine accounts of domain-joined systems also authenticate to ADDS, UAL of Domain Controllers can be used to map hostnames with past IP addresses. |
Files under <SYSTEMROOT>\System32\Logfiles\SUM\ folder: Current.mdb (data for the last 24-hours). Up to three "<GUID>.mdb" files (current year and history up to 2 years). Systemidentity.mdb (mapping on roles GUIDs and names). |
View on GitHub