Welcome to the Azure Advanced Threat

Protection Webinar
We will start at 2-3 minutes after the scheduled time to accommodate
those still connecting.

Questions? Feel free to type them in the instant message window at any time. Note that any
questions you post will be public. You have the option to post questions anonymously.

This webinar is being recorded. We’ll post the recordings to our community forums at
https://aka.ms/AATPRecordings.

Join our Community: https://aka.ms/SecurityCommunity

Azure Advanced Threat Protection:
Detections Webinar
Itai Grady, Security Researcher @ItaiGrady
Tali Ash, Program Manager @Taliash1
Agenda

1. Understanding Active Directory user object data

2. Domain controllers’ replication
3. Relevant attack techniques
Detect advanced attacks throughout the kill chain
Golden ticket attack
Account enumeration DCShadow
LDAP recon Data exfiltration
Users group membership enumeration DCSync
Users & IP address enumeration Remote code execution on DC
Hosts & server name enumeration (DNS) Skeleton Key
Service creation on DC
Suspicious groups membership
Compromised Lateral modifications
Credential Movement

Reconnaissance Domain
Dominance
Pass-the-Ticket
Brute force attempts Pass-the-Hash
Suspicious VPN connection Overpass-the-Hash
Honey Token account suspicious activities NTLM relay attack (Exchange)
What is Active Directory?

Secure, Structured hierarchical data storage for objects

• Domains
• Users
• Computers
• Groups
• Services

Supports locating and working with these objects

Extensible for 3rd party applications and services

Object attributes

Schema for each object type

Interesting attributes:
• Group membership
• Password never expires
• Empty password allowed
• Service principal name (SPN)
• Trusted for delegation
 Directory structure

Schema

Configuration

Domain

Partitions are organized hierarchically

• Logical containers (such as Organizational Units - OU)

Objects have a unique path

• Canonical name (CN) for a specific object
• Distinguished Name (DN): CN=Ariliene Banks,OU=Users,OU=Org,OU=Test,DC=domain1,DC=test,DC=local
Security Principals and Groups

User and computer objects are security principals

Groups can contain users and computers and other groups

They have a unique security identifier

• objectSid (SID)

Domain’s SID
RID (relative identifier)
S-1-5-21-1411547893-2725445261-4116970666-1234
Well-Known RIDs

Examples: SID Display Name

S-1-5-7 Anonymous Logon

S-1-5-11 Authenticated Users

S-1-5-domain-500 Administrator
S-1-5-domain-501 Guest
S-1-5-domain-512 Domain Admins

S-1-5-root domain-518 Schema Admins

S-1-5-root domain-519 Enterprise Admins

Querying the Directory

Directory data can be queried through APIs

• SAM-R (Security Account Manager (SAM) Remote)
• WMI (Windows Management Instrumentation)
• LDAP (Lightweight Directory Access Protocol)
• Active Directory Web Services

Attackers are using it to learn about the environment

• Which users and computers exist?
• Who are the user’s with high privileges?
• Which objects have delegation permissions?
• Which services are running by user permissions?
Demo
• User and group membership reconnaissance (SAMR)
• Kerberoasting -> Security principal reconnaissance (LDAP)
• NTDS.dit exfiltration -> Data exfiltration over SMB
Introduction to domain controller’s replication​

Directory consists of objects and attributes​

• Replication occurs at the attribute level

Loosely consistent, multimaster, state-based directory​

• Occurs within a latency period​
• Updates can occur on any DC​
• All replications are pull-based​
• Each DC tracks current value (“state”) of objects
Originating directory update​s

Initial LDAP write to the directory​

Four types​
• Add (create a new object)​
• Modify (add/delete/change an attribute)​
• Move (move an object in the directory)​
• Delete (special case of Modify)​
• Set isDeleted attribute to TRUE​
• Change relative distinguished name (append \0ADEL:<GUID>​
• Strip attributes not required by the system​
• Move object to Deleted Objects container​
 How Replication Works​
2,3 Replication interval + identify replication source DC
1. AD change

4. Request changes

5. Send changes
6. Apply changes to local DB
Source DC Destination DC

1. Originating update occurs on source DC​

2. Replication interval occurs on destination DC​
3. Identify replication source DC (connection object)​
4. Request changes from source DC ​
5. Source DC sends updates to destination DC​
6. Destination DC applies changes to local database​
Update Sequence Number (USN)

• Current USN is a 64-bit counter maintained by each DC​

• Each update increments the USN​
• Written to updated attributes as Local USN​
• Object’s highest Local USN is indexed as USNChanged
• For originating writes​
• Current USN stored as Originating USN​
• Originating USN is replicated with attribute value​
• Additional metadata (stamp) used to resolve conflicts​
• Version​
• Originating Time (stored in UTC)​
• Originating DC​
Update Sequence Number (USN)
DCSync attack
1. Discovery of a Domain Controller to request replication.
2. User Replication is requested by the attacker.
3. Domain Controller returns replication data to the attacker including password hashes.

The classic use case for DCSync is to replicate the KRBTGT account in order to execute Golden Ticket attack.
Permissions Required
• High privileged permissions:
• Replicating Directory Changes
• Replicating Directory Changes All
• Replicating Directory Changes In Filtered Set
• Generally Administrators, Domain Admins, Enterprise
Admins have required permissions

• By leveraging Domain Admin privileges, we can replicate

any account we want.
DCShadow

• Simulates the behavior of a Domain Controller to inject its own data

• It shares some similarities with the DCSync attack

• Attack Flow:
1. Registering the "DC" by creating 2 objects in the
CN=Configuration partition and altering the SPN of the computer used.
2. Pushing the data (triggered using DrsReplicaAdd)
3. Removing the object previously created to demote the DC
Demo
• DCSync attack
• DCShadow attack
Summary

• Active Directory user object

• User and group membership reconnaissance (SAMR)
• Kerberoasting -> Security principal reconnaissance (LDAP)
• Data exfiltration over SMB

• Domain controllers communications

• DCSync attack
• DCShadow attaak
Additional Resources - TBD

Active directory and relevant protocols

https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adod/5ff67bf4-c145-48cb-89cd-4f5482d94664

Azure ATP Detections

https://aka.ms/aatpsaguide
https://docs.microsoft.com/en-us/azure-advanced-threat-protection/atp-reconnaissance-alerts
https://docs.microsoft.com/en-us/azure-advanced-threat-protection/atp-domain-dominance-alerts

Azure ATP Attack Simulation Playbook

https://aka.ms/aatpsaplaybook

Azure ATP Community

Tech Community: http://aka.ms/SecurityCommunity
Questionnaire/Feedback

https://aka.ms/AatpWebinarFeedback
Thank You for Joining Us!

Recordings have been posted to our community forums at

https://aka.ms/AATPRecordings.

Questions? Ask us at https://aka.ms/AzureATPCommunity.

Join our Community: https://aka.ms/SecurityCommunity