This is a real-time detection tool for detecting attack against Active Directory. The tools is the improved version of the previous version. Our tool can useful for immediate incident response for targeted attacks.
The tool detects the following attack activities using Event logs and Kerberos/SMB packets.
- Attacks leveraging the vulnerabilities fixed in MS14-068 and MS17-010
- Attacks using Golden Ticket
- Attacks using Silver Ticket
The tool is tested in Windows 2008 R2, 2012 R2, 2016. Documentation of the tool is here
Our tool consists of the following components:
- Detection Server: Detects attack activities leveraging Domain Administrator privileges using signature based detection and Machine Learning. Detection programs are implemented by Web API.
- Log Server for Event Logs: Log Server is implemented using Elactic Stack. It collects the Domain Controller’s Event logs in real-time and provide log search and visualization.
- Log Server for packets: Collect Kerberos packets using tshark. Cpllected packets are sent to Elastic search using Logsrash.
Our method consists of the following functions.
- Event Log analysis
- Packet analysis
- Identification of tactics in ATT&CK
- If someone access to the Domain Controller including attacks, activities are recorded in the Event log.
- Each Event Log is sent to Logstash in real-time by Winlogbeat.
Logstash extracts input data from the Event log, then call the detection API on Detection Server. - Detection API is launched. Firstly, analyze the log with signature detection.
- Next analyze the log with machine learning.
- If attack is detected, judge the log is recorded by attack activities.
Send alert E-mail to the security administrator, and add a flag indicates attack to the log . - Transfer the log to Elasticsearch .
- 4672: An account assigned with special privileges logged on.
- 4674: An operation was attempted on a privileged object
- 4688: A new process was created
- 4768: A Kerberos authentication ticket (TGT) was requested
- 4769: A Kerberos service ticket was requested
- 4776: The domain controller attempted to validate the credentials for an account
- 5140: A network share object was accessed
- If someone access to the Domain Controller including attacks, Kerberos packets are sent to Domain Controller.
- Tshark collects Kerberos packets.
Logstash extracts input data from the packets, then call the detection API on Detection Server. - Detection API is launched. Analyze wheter Golden Tickets and Silver Tickets are used from packets.
- If attack is detected, judge the log is recorded by attack activities.
Send alert E-mail to the security administrator, and add a flag indicates attack to the packet . - Transfer the packet to Elasticsearch .
The following is the Kerberos message type used for detection.
- 11: KRB_AS_REP
- 12: KRB_TGS_REQ
- 13: KRB_TGS_REP
- 14: KRB_AP_REQ
- 32: KRB_AP_ERR_TKT_EXPIRED
- Distinguish logs recorded by attack activities from logs recorded by normal operations, and identity infected computers and accounts.
The detection result can be checked using Kibana. - If attacks are detected, send email alerts to the specific E-mail address.
We tested our tool in the following environment.
- Domain Controller (Windows 2008R2/ 2012 R2/ 2016)
- Winlogbeat(5.4.2): Open-source log analysis platform
- Log Server for Event Logs: Open-source tools + Logstash pipeline
- OS: CentOS 7
- Logstash(6.5.0): Parse logs, launch the detection program, transfer logs to Elastic Search
- Elastic Search(6.5.0): Collects logs and provides API interface for log detection
- Kibana(6.5.0): Visualizes the detection results
- Log Server for packet analysis: Open-source tools + Logstash pipeline
- OS: CentOS 7
- Logstash(6.5.0): Parse logs, launch the detection program, transfer logs to Elastic Search
- tshark: Collect and save packets
- Detection Server: Custom detection programs
- OS: CentOS 7
- Python: 3.6.0
- Flask: 0.12
- scikit-learn: 0.19.1