What is Active Directory?
An important part of the IT infrastructure Active DirectoryIt is a directory service designed by Microsoft for Server and Client computer systems and includes systems such as server, client computer, user and printer.
Suspicious Behavior and Events in Active Directory
When monitoring movements on Active Directory (AD) servers, some behaviors and events may raise suspicion. Suspicious behavior and events that should be paid attention to and investigated include:
1. Failed User Login Attempts
- Event ID: 4625
- “x” failed login attempts in “x” minutes with the same username
- Failed login attempts, which can be a sign of brute force attacks, are something you should definitely pay attention to in AD. If someone keeps trying to log in and gives the wrong username or password every time, you're right to be suspicious. The most basic security measure you need to take here is to limit the number of entries. For example, after 3 unsuccessful login attempts, you should block the user for about 5 minutes.
2. Password Spraying
- Event ID = 4625
- Same Source
- 2 or more usernames within X minutes
In this case, which can also be a sign of brute force attacks, the request comes from the same source and contains 2 or more usernames. According to Active Directory rules, login restrictions may be applied to prevent such brute force attacks.
3. Request to Use a Disabled Account
- Event ID = 4625
- Sub Status Code: 0xC0000072
Attempting to use deactivated accounts may indicate malicious behavior or more likely former employees trying to log in. Attempts to log in to disabled accounts should be investigated.
4. Request to Use Invalid Account
- Event ID = 4625
- Sub Status Code: 0xC0000193
Similar to the previous one, attackers or former employees may try to access expired accounts.
5. Successful Malicious Logins
Active DirectoryAnother issue that should be taken into consideration is the situation in which the malware has infiltrated the system. At this stage, the presence of the pest can be detected from its movements.
5.1. Disallowed Accounts
- Event ID = 4624
- Username ^SVC. * or. Matches *\$.
To ensure system security, you may have restricted users from logging in with some accounts. If they log in with these accounts, the possibility of your system being infiltrated will increase considerably.
5.2. Logins Made Directly to Domain Controller
- Event ID = 4624
- Login Type 2 or 10
- The login target is a DC (Domain Controller).
- The user is not a DC administrator.
If attackers can directly access the domain controller in a system, this indicates the existence of a very serious security vulnerability.
5.3. Pass the Hash
- Event ID = 4624
- Login Type 3
- Login Process: NtLmSsp
- SubjectUserSID, S-1-0-0
- Key Length 0
Attackers use the hash values of passwords to move laterally into the network. Instead of using passwords, they enable other users to log in with NTLM or LanMan hash values, thanks to the hash values they obtain.
5.3. OverPass the Hash
- Event ID = 4624
- Login Type 9
- Login Process: seclogo
6. Harmful AD Syncs
In most attacks on a system, attackers try to enumerate user information from domain controllers. There are several different ways to detect the existence of such an enumeration:
6.1. Mimikatz DC SYNC
- Event ID = 4662 (The attacker performs the operation through an “object”)
- Features: Replicating Directory Changes All * OR 1131f6ad-9c07-11d1-f79f-00c04fc2dcd2 *
- Account is NT Authority, or matches *\$ when there is no matching expression.
If an attacker tries to use mimikatz on the domain controller, the above symptoms usually occur.
6.1. AD Identical Machine Account
- Event ID = 4662
- AccessMask 0x100
- Specifications: '1131f6aa-9c07-11d1-f79f-00c04fc2dcd2 OR 31 1131f6ad-9c07-11d1-f79f-00c04fc2dcd2' OR 89e95b76-444d-4c62-991a-0facbeda640c
6.2. AD Identical Machine Account
- Event ID = 4742 (A computer account is changed)
- The actual name of the service matches *GC/*.
6.2. Providing DCSYNC to Standard User
- Event ID = 5136 (A directory service object is modified)
- LDAPDisplayName is equal to “ntSecurityDescriptor”.
- Specifications: 1131f6ad-9c07-11d1-f79f-00c04fc2dcd2 OR 1131f6aa-9c07-11d1-f79f-00c04fc2dcd2 OR 89e95b76-444d-4c62-991a-0facbeda640c
7. Large Number of Locked Accounts
If a large number of accounts are starting to crash on your network, this could be a sign of a “brute force attack.” Active directory information regarding the situation is as follows:
- Event ID = 4740
- Same Source
- More than 10 events in 3 hours. (You can change the breakpoints to suit your institution's policies.)
8. New / Changed / Removed Trusted Domain
- Event ID = 4706 Or 4707 Or 4716
If a domain name is new, changed or removed, necessary checks must be made. Since sometimes attackers can also carry out operations against the domain, it should be verified that trusted people made these changes.
9. Domain or Kerberos Policy Change
Not only changes to the domain, but also changes to domain or Kerberos policies must be controlled.
- Event ID = 4713 or 4739
10. DPAPI Key Management
DPAPI (Data Protection Application Programming Interface) Key is used to encrypt user details. Attackers may try to attack DPAPI in the Domain Controller to gain greater access to the system. The following incident situations should also be investigated urgently.
10.1. Removing the Spare Key
- Event ID = 4662 (An operation is performed on an object)
- Object Type = SecretObjec
- Access Mask 0x2
- Object Name BCKUPKEY
S10.2. Backing Up the Spare Key
Event ID = 4692 (A backup of the data protection master key is taken or an attempt is made)
Each of the above events are situations that can occur if an attacker attacks your system. described here Suspicious events in the Active Directory environment should be considered and necessary precautions should be taken.