Cyber Forensics – Active Directory Investigation

Author:

In an industry running on Active Directory, if there is an espionage that needs to be investigated, a critical analysis of AD settings is important. Active Directory is the backbone of identities for many organizations around the world, but it is often not managed well, which open the doors for attackers to compromise it in a minute or two. AD is full of delegated rights and permissions that grant privileges to security principals (User, Group Managed Service Account, Group and Computer Objects). Some permissions are more sensitive than others and should be kept only for privileged accounts. Let’s see which of these sensitive objects are. It depends on how your structure are designed and where you store your sensitive objects, but there are a couple of standard objects we need to check.
Following attack patterns are important to be observed.

    • Attackers that try to maintain long-term persistence
    • Applications/Service accounts delegated too much privilege
    • Escalation of Privileges

Following permissions are to be observed
• Full Control on all objects
• Create Child Objects

    o Create new user accounts, groups etc.
    o Create dynamic objects, objects with a Time-To-Live and will disappear when TTL is meet.

• All Extended Rights

    o Password Resets
    o Replicating Directory Changes All
    o Potential access to all confidential attributes.

• Extended Right: Replicating Directory Changes All

    o This extended rights should ONLY be delegated to services that do password synchronization like the Azure AD Connect tool or other services using DSgetNCChanges for password sync.
    o FIM/MIM does not need this permissions

• Reset Passwords
• Write Property to objects or sensitive attributes

    o Modify group memberships.
    o Write userPrinicpalName.
    o Write altSecIdentities
    o Write userCertificate
    o Write userAccountControl.
    o Write servicePrincipalName.

• Write Public Information

    o Includes userPrincipalName.

• Write Membership

    o Includes member and memberOf.

• Write User Account Restrictions

    o Includes userAccountControl.

• Write userPrincipalName

    o Access to modify the userPrincipalName could let someone with a valid smart card to logon as someone else by having the SubjAltName field of the smart to match another Active Directory user account.

• Write userAccountControl

    o Allow blank password.
    o Downgrade Kerberos to DES only.
    o Enable/Disable accounts.
    o Store password using reversible encryption.

• Write msDS-SupportedEncryptionTypes

    o Downgrade Kerberos encryption.

• Write Permissions

    o Replace current permissions with new more relaxed or granting access to a malicious account.

• Write servicePrincipalName

    o By adding a service principal name to an account an attacker could potentially request a Kerberos TGS for the account and save the TGS to a file and perform offline TGS password cracking as long as RC4 Kerberos encryption is allowed.

• Take Ownership

    o Take owner ship and then replace current permissions with new more relaxed or granting access to a malicious account.

• Link Group Policy Object

    o Introduce new settings that would grant access or apply malicious code on the operating systems.