Professional Documents
Culture Documents
Webinar 1522 Slides
Webinar 1522 Slides
4 Threat Detections
using Active Directory Sponsored by
Authentication Events
from the Windows
Security Log
© 2018 Monterey Technology Group Inc.
Made possible by
Thanks to
1
10/2/2018
Understanding
Authentication protocols
the Events Kerberos
NTLM
2
10/2/2018
Workstation
Kerberos
Logon
Workstation
Kerberos
3
10/2/2018
Logon
Kerberos
Logon
Kerberos
4
10/2/2018
Logon
Kerberos
Assuming we are using Kerberos,
what’s happening behind the
scenes?
Logon
Kerberos
Domain
Controller
Active
Directory
5
10/2/2018
Logon
Domain
Controller
Active
Directory
Logon
Domain
Controller
4768
Security
4769 Service: DC$
Active Log
4769 Service: workstation$
Directory 4769 Service: fileserver$
6
10/2/2018
Logon
Domain
Controller
Security
Active Log
4769 Service: fileserver$
Directory
7
10/2/2018
Logon
NTLM
But what happens if NTLM is
used?
Logon
NTLM
8
10/2/2018
Logon
Active
Directory
Logon
Credential validation
NTLM
Domain
Controller
4776
Security
Active Log
Directory
9
10/2/2018
Logon
Credential validation
NTLM Credential validation
Domain
Controller
Security
Active Log
4776
Directory
10
10/2/2018
Scenarios
Threat Probable account compromise
Detection Suspicious activity
Brute force (2 types)
Impossible travel
11
10/2/2018
Domain accounts
Event ID 4771 type 0x18 from all DCs
Local accounts
Event ID 4625 code 0xC000006A from all computers
Brute Force
Looking for valid user names
Domain accounts
Event ID 4771 type 0x6 from all DCs
Local accounts
Event ID 4625 code 0xC0000064 from all computers
12
10/2/2018
Prerequisite
Geo-location on internal IPs
Site awareness based on computer names
Impossible
Methods
travel 4624 Logon type 2 from computers at different sites
Credential sharing
4768/69 where client IP is too distant for time slip between the
events
False positives
On certain application architectures
Create exceptions for those servers
13
10/2/2018
Change Auditor
Threat Detection
Matthew Vinton
Strategic Systems Consultant
14
10/2/2018
Live Demo
500 50 44
1/3 of orgs spend 500 % of alerts are % of alerts are left
hours/month false positives uninvestigated
responding to alerts
30 quest.com | confidential
15
10/2/2018
31 quest.com | confidential
32 quest.com | confidential
16
10/2/2018
33 quest.com | confidential
34 quest.com | confidential
17
10/2/2018
1,153
Tens of thousands of indicators
Threat indicators below the threshold were discarded
(from 109,000 raw events)
304
5 alerts a day on avg.
SMART alerts
35 quest.com | confidential
Thank you!
18