Defence

Ok this morning I woke up really really early! I then went on a bit of a KQL thread on twitter, and then IRL work destroyed my plans to play in the lab. However I’m publishing this in its current state [use at own risk etc.] because I think it might help people! So let’s get to it:

These queries can help you identify 3 common active directory attack techniques from logs on a domain controller (this does not rely on ADCS logs etc.)

The examples are for Microsoft Sentinel and are based on:

  • Security Events
  • System Events

The techniques are:

  1. Active Directory Certificate Services Abuse ESC1
    1. We are focusing on the following TGT requests using the SAN field.
  2. Kerberoasting
  3. DCSync

Active Directory Certificate Services Abuse (ESC1)

Method: Domain TGT Request (on a domain controller)

Sentinel Query KQL
Event| where TimeGenerated > ago(90d)| where EventLog == ‘System’| where EventID == ’39’| sort by TimeGenerated desc

Kerberoasting

impacket-GetUserSPNs evilcorp/lowpriv:Pa55w0rd1! -target-domain evilcorp.local -outputfile roaster.txt

To detect this:

Sentinel Query KQL
// Event ID 4769 = TGT requestedSecurityEvent| where TimeGenerated > ago(90d)| where EventID  == 4769 // this requires that non default auditing be enabled// Ticket Options: 0x40810000 and Ticket Encryption: 0x17| where EventData has”0x40810000″ and EventData has “0x17″| sort by TimeGenerated desc

DCSync

We need to filter out our domain controllers from this. I have given an example that does this by removing SYNC events where the AccountType is a Machine and where the account name  does not include $ and Accountname does not include ‘DC’ – but this might not work for your environment.

Warning replicating ALL objects includes replicating DAPI Backup keys which can’t be changed!

An example of how to DCSync is here:

impacket-secretsdump -just-dc administrator:[email protected]
Sentinel Query KQL
// Hunt for DCSync Events SecurityEvent| where TimeGenerated > ago(90d)| where EventID == 4662 // this requires that non default auditing be enabled | where AccessMask has “0x100″| where AccountType != “Machine”| where AccountName !has “$” or AccountName !has “DC”| where AccessMask == 0x100| where EventData has “Replicating Directory Changes all” or EventData has “1131f6ad-9c07-11d1-f79f-00c04fc2dcd2” or EventData has “1131f6aa-9c07-11d1-f79f-00c04fc2dcd2” or EventData has “89e95b76-444d-4c62-991a-0facbeda640c”| sort by TimeGenerated desc

KQL Tips

A few things that I find useful:

Searching between two dates

| where TimeGenerated between (datetime(2024-10-01T00:00:00) .. datetime(2024-10-10T00:00:00))

Summarising Events based on time e.g. number of events per day

| summarize count() by bin(TimeGenerated, 1h)

Summarising Events based on time e.g. number of events per day per computer

| summarize count() by bin(TimeGenerated, 1h), Computer

Depeding upon the data source the ‘Computer’ object may require changing.

Create a time graph

| render timechart

Create a column graph

| render columnchart

Further Reading on KQL

There’s a great book here (ok I’ve only just got this myself but I bet it’s great!)

Summary

These are just some of the detection methods against 3 common attacks. You may find better or more optimal ways of doing this in your environments; however these should give you an idea of where to start. These are manual, and you can use analytics rules etc. in Sentinel… so this is just to show people some KQL and some common attacks! (caveat the planet!)