FalconFriday — Detecting malicious modifications to Active Directory — 0xFF1D


FalconFriday — Detecting malicious modifications to Active Directory — 0xFF1D

Recently, we are seeing more and more threat actors and red teams move to using relay attacks, often combined with the ability of users to add or modify data in Active Directory.

The first ability that is often misused in these attacks, is that in most environments any user has the rights to add a new computer account and modify the properties of the newly created account. For example:

- The Certifried (CVE-2022–26923) attack released this month that allowed any user to escalate to domain admin.

- The SAM the Admin attack (CVE-2021–42278) that allowed escalating from a regular user to domain admin.

Another ability that is abused is modification of properties on computer accounts that allow gaining access to the machine. For example:

- Kerberos Resource-Based constrained delegation by modifying the ‘msDS-AllowedToActOnBehalfOfOtherIdentity’ property, as abused by tools such as ntlmrelayx and KrbRelayUp.

- Adding Shadow Credentials by modifying the ‘msDS-KeyCredentialLink’ property as abused by tools such as Whisker.

In this FalconFriday we will focus on how to identify a number of these attacks by using relatively simple detections based on the Windows Event Logs. In most environments, these modifications are rare and made only by a specific group of admin users. Therefore, provided detections can be valuable in identifying known and unknown attacks that rely on these changes being made. Hope this blog gives you a practical head start!

Cross post from medium.com, please read the full article here: