Automatically generated based on tag:
| Title | Type | Summary | Location |
|---|---|---|---|
| Active Directory Certificate Services | Page | Active Directory Certificate Services (AD CS) is a Windows Server role for issuing and managing Public Key Infrastructure (PKI) certificates used in secure communication and authentication protocols. In the last few years, a number of possible AD CS misconfigurations, leading to privilege escalation and persistence in an Active Directory environment, have been published by security researchers and exploited by threat actors. |
|
| Active Directory Domain Services (Domain Controllers) replication metadata | Page | The Active Directory replication metadata hold information about change made on an Active Directory object. The replication metadata is used by the Domain Controllers to replicate modifications and, as so, only attributes that are replicated will be logged in the replication metadata. Every object within Active Directory stores replication metadata, in their "msDS-ReplAttributeMetaData" (for regular attributes) and "msDS-ReplValueMetaData" (for linked attributes) attributes. |
Replicated attributes of interest: - adminCount - lastLogonTimestamp - member - msDS-AllowedToDelegateTo - nTSecurityDescriptor - primaryGroupID - scriptPath - servicePrincipalName - sIDHistory - userPrincipalName |
| ETW - Active Directory Domain Services (Domain Controllers) ntds.dit dumping | Page | Secrets stored in the Active Directory database (ntds.dit) can be retrieved a number of ways: - By leveraging the DRSUAPI replication functions, normally used by Domain Controllers to replicate objects (replicated) properties. This attack can be conducted over the network (with out executing code on a Domain Controller) and is known as "DCSync". - By executing code/commands on a Domain Controller and exfiltrating the ntds.dit database directly. While the ntds.dit database can be accessed and copied using various tools and techniques, the "ntdsutil" built-in administration utility is often leverage by threat actors to do so. |
DCSync (DRSUAPI): Channel: Security. Event: 4662 (Property "1131f6aa-9c07-11d1-f79f-00c04fc2dcd" or "1131f6ad-9c07-11d1-f79f-00c04fc2dcd2"). NTDS export using ntdsutil: Channel: ESENT (Application.evtx). Events: 206, 325, 326, 327 |
| ETW - Active Directory Domain Services (Domain Controllers) RBCD detections | Page | The resource-based constrained delegation, introduced in Windows Server 2012, deports the trust in Kerberos delegations to the final resources. Instead of trusting a service account to impersonate other users to destination services, service accounts can specifically authorize other services to authenticate using delegated service tickets. The authorized services are identified, by their SPN, in the msDS-AllowedToActOnBehalfOfOtherIdentity attribute of the final services. The first step of the RBCD attack is usually the modification of an objects "msDS-AllowedToActOnBehalfOfOtherIdentity" attribute, which generates an associated 5136 event. The exploitation of the configured delegation relies on a first S4U2Self request and a subsequent S4U2Proxy request, each request generating a specific 4769 event. |
Channel: Security. Events: 5136 ("Attribute" field equal to "msDS-AllowedToActOnBehalfOfOtherIdentity"), 4769 (two separate events, for S4U2Self and S4U2Proxy requests, with the second event with a non-null "Transited Services" field). |
| Microsoft Exchange | Page | Microsoft Exchange is a complex mail server ecosystem, running exclusively on the Windows operating system. Microsoft Exchange logs telemetry and events in various text-based log files (100+) and EVTX event logs (40+). The following sources of logs can be of forensics interest to investigate the compromise of a Microsoft Exchange server or account: - Exchange IIS logs, that contain information on the HTTP requests made to the various Exchange HTTP web services. - EVTX event logs, of Exchange ETW channels (such as the "MSExchange Management" channel), and of other providers depending on the Exchange server Windows logging configuration. - 20+ text-based log files, each associated with a given Exchange service. |
Exchange IIS logs: %SystemDrive%\inetpub\logs\LogFiles\W3SVC1 and W3SVC2 folders. ETW channels: MSExchange Management, for usage of cmdlets from the ExchangePowerShell module (that interact with the Exchange Web Services API). Microsoft-Windows-Windows Defender/Operational, events 1006 / 1116 and 1007 / 1117, for detections of suspicious behavior related to Exchange. Security event 4688, if "Audit Process Creation" is enabled, to identity suspicious process spawned by the Exchange IIS process. Exchange components (EWS, ECP, OWA, ExchangePowerShell, ActiveSync, MAPI, etc.) text-based logs: %SystemDrive%\Program Files\Microsoft\Exchange Server\V15\Logging and TransportRoles folders. |
| Procedure - Active Directory Domain Services NTDS offline mounting | Page | An exported NTDS database file can be mounted using dsamain, to then be queried in LDAP or with PowerShell cmdlets through the "AD Web Services". |
NTDS database location: %SystemRoot%/ntds\NTDS.DIT Commands for offline mounting: esentutl /p <NTDS_DIT_PATH> dsamain.exe -dbpath <NTDS_DIT_PATH> -ldapport 3266 -allownonadminaccess |
View on GitHub