Scribd Logo
Upload

Welcome to Scribd!

  • Webinar 1522 Slides

    Uploaded by

    Ranjan Prakash
    3 views18 pages
    This document discusses authentication events generated in the Windows security log and how they can be used for threat detection. It explains the Kerberos and NTLM authentication protocols and the events generated by each. It provides examples of Kerberos events like requesting and renewing a ticket granting ticket or service ticket. It also discusses NTLM authentication and the related events like credential validation.

    Original Description:

    Original Title

    Webinar-1522-Slides

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    This document discusses authentication events generated in the Windows security log and how they can be used for threat detection. It explains the Kerberos and NTLM authentication protocols and the events generated by each. It provides examples of Kerberos events like requesting and renewing a ticket granting ticket or service ticket. It also discusses NTLM authentication and the related events like credential validation.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    3 views18 pages

    Webinar 1522 Slides

    Uploaded by

    Ranjan Prakash
    This document discusses authentication events generated in the Windows security log and how they can be used for threat detection. It explains the Kerberos and NTLM authentication protocols and the events generated by each. It provides examples of Kerberos events like requesting and renewing a ticket granting ticket or service ticket. It also discusses NTLM authentication and the related events like credential validation.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    of 18

    10/2/2018

    4 Threat Detections
    using Active Directory Sponsored by

    Authentication Events
    from the Windows
    Security Log
    © 2018 Monterey Technology Group Inc.

     Made possible by

    Thanks to

    1
    10/2/2018

    Preview of key  Authentication protocols

    points  Events generated by each protocol


     Threat detection using the events
     Quest Change Auditor does the heavy lifting

    Understanding
     Authentication protocols
    the Events  Kerberos
     NTLM

    2
    10/2/2018

    Workstation

    Kerberos

    Logon

    Workstation

    Kerberos

    3
    10/2/2018

    Logon

    Workstation File Server

    Kerberos

    Logon

    Access shared folder


    Workstation (network logon) File Server

    Kerberos

    4
    10/2/2018

    Logon

    Access shared folder


    Workstation (network logon) File Server

    Kerberos
    Assuming we are using Kerberos,
    what’s happening behind the
    scenes?

    Logon

    Access shared folder


    Workstation (network logon) File Server

    Kerberos
    Domain
    Controller

    Active
    Directory

    5
    10/2/2018

    Logon

    Access shared folder


    Workstation (network logon) File Server

    Ticket Granting Ticket


    Kerberos Service Ticket to Workstation
    Service Ticket to DC

    Domain
    Controller

    Active
    Directory

    Logon

    Access shared folder


    Workstation (network logon) File Server

    Security 4624 Type 2


    Log

    Ticket Granting Ticket


    Kerberos Service Ticket to Workstation
    Service Ticket to DC

    Domain
    Controller
    4768
    Security
    4769 Service: DC$
    Active Log
    4769 Service: workstation$
    Directory 4769 Service: fileserver$

    6
    10/2/2018

    Logon

    Access shared folder


    Workstation (network logon) File Server
    4624 Type 3
    Security
    Log

    Ticket Granting Ticket Service Ticket to File Server

    Kerberos Service Ticket to Workstation


    Service Ticket to DC

    Domain
    Controller
    Security
    Active Log
    4769 Service: fileserver$
    Directory

     4768 - A Kerberos authentication ticket (TGT) was requested


     4771 - Kerberos pre-authentication failed
     4772 - A Kerberos authentication ticket request failed
    Kerberos  4820 - A Kerberos Ticket-granting-ticket (TGT) was denied
    because the device does not meet the access control restrictions
    Events
     4769 - A Kerberos service ticket was requested
     4770 - A Kerberos service ticket was renewed
     4773 - A Kerberos service ticket request failed

    7
    10/2/2018

    Logon

    Access shared folder


    Workstation (network logon) File Server

    NTLM
    But what happens if NTLM is
    used?

    Logon

    Access shared folder


    Workstation (network logon) File Server

    NTLM

    8
    10/2/2018

    Logon

    Access shared folder


    Workstation (network logon) File Server

    NTLM authentication check


    NTLM
    Domain
    Controller

    Active
    Directory

    Logon

    Access shared folder


    Workstation (network logon) File Server

    Security 4624 Type 2


    Log

    Credential validation
    NTLM
    Domain
    Controller
    4776
    Security
    Active Log

    Directory

    9
    10/2/2018

    Logon

    Access shared folder


    Workstation (network logon) File Server
    4624 Type 3
    Security
    Log

    Credential validation
    NTLM Credential validation

    Domain
    Controller
    Security
    Active Log
    4776
    Directory

     4776 - The domain controller attempted to validate the


    NTLM events credentials for an account
     4777 - The domain controller failed to validate the credentials for
    an account

    10
    10/2/2018

     Domain controllers don’t know


     What type of logon
     How long you remain logged on
    Some things  NTLM doesn’t give you
    to note  IP addresses
     Name of the server
     Just the workstation

     Good reasons to make ongoing effort to move to Kerberos


     Pass-the-hash
     Threat detection

     Scenarios
    Threat  Probable account compromise
    Detection  Suspicious activity
     Brute force (2 types)
     Impossible travel

    11
    10/2/2018

     Event ID: 4769


    Probable
     Create rolling baseline of computers where each user logs on
    account  For each authentication event compare the target computer to
    compromise that user’s baseline
     Extra credit
     Take into account new computers, new users
     Use locally generated logon events to take into account logon
    type

     Domain accounts
     Event ID 4771 type 0x18 from all DCs
     Local accounts
     Event ID 4625 code 0xC000006A from all computers
    Brute Force
     Looking for valid user names
     Domain accounts
     Event ID 4771 type 0x6 from all DCs
     Local accounts
     Event ID 4625 code 0xC0000064 from all computers

    12
    10/2/2018

     Prerequisite
     Geo-location on internal IPs
     Site awareness based on computer names
    Impossible
     Methods
    travel  4624 Logon type 2 from computers at different sites
     Credential sharing
     4768/69 where client IP is too distant for time slip between the
    events
     False positives
     On certain application architectures
     Create exceptions for those servers

     Dependent on how cleanly operated your environment is


    Suspicious  Naming conventions

    activity  Look for violations of controls


     Example
     Privileged user account names begin with “p-”
     End-user workstation computer names begin with “w-”
     Look for
     4769 from all DCs where user = “p-*” and service = “w-*”

    13
    10/2/2018

     I can show you these events and how to analyze them


     Still need the technology
    Bottom line  to collect this data from each domain controller
     make sense of it and perform the requisite baselining and
    correlation.
     Matthew Vinton will briefly show you the new Threat Detection
    capabilities of Quest Change Auditor

    © 2018 Monterey Technology Group Inc.

    Change Auditor
    Threat Detection

    Matthew Vinton
    Strategic Systems Consultant

    14
    10/2/2018

    Live Demo

    Summary – user threat detection challenges

    500 50 44
    1/3 of orgs spend 500 % of alerts are % of alerts are left
    hours/month false positives uninvestigated
    responding to alerts

    30 quest.com | confidential

    15
    10/2/2018

    Making use of logon data is hard


    • Making sense of thousands or even millions of logon events is difficult
    • And it is often audit events in the context of other audit events that
    makes it important
    • Native event logging can leave information gaps

    31 quest.com | confidential

    Quest can make it easier

    Change Auditor Threat Detection models


    individual user behavior patterns in
    order to detect anomalous activity that
    could be indicative of suspicious users or
    compromised accounts

    32 quest.com | confidential

    16
    10/2/2018

    Threat Detection now part of Quest Change Auditor

    33 quest.com | confidential

    User threat detection for your Windows environment

    34 quest.com | confidential

    17
    10/2/2018

    User threat alerts – making sense out of noise


    80,000 users
    387 Million
    60 days
    Raw events

    1,153
    Tens of thousands of indicators
    Threat indicators below the threshold were discarded
    (from 109,000 raw events)

    304
    5 alerts a day on avg.
    SMART alerts

    180 Scored and prioritized by


    Risky users importance

    35 quest.com | confidential

    Thank you!

    18

    You might also like