Tag Archives: Security Audit

Microsoft Advanced Threat Analytics (ATA) – Part 01

There are many ways to monitor Active Directory activities in an infastrcure. Some tools are just to monitor the AD services and some tools are to monitor services as well as the activities. Service level monitoring is the easy part and any monitoring tool with windows service monitoring can monitor the status of the AD services. Tools likes SCOM allows to monitor services in more granular level. it is not just monitoring status of the service, it also monitors the AD components and their activities. Windows event log also gives visibility over Active Directory service status and its activities. In a previous blog post I explained how we can enabled advanced active directory auditing which can help to understand what’s going on.

When it comes to security related events, only a tool with auditing capabilities can give some insight. However most of these tools do not give any advice or guidance based on the events it captured. It’s all depend on engineers who analysis those. As an example, an event I sees as a security related event may not see as a threat by a second line support engineer. This is a quite an issues as recent report from Microsoft shows it can take average of 146 days to identify an identity infrastructure security breach. We are fighting against human adversaries, it is obvious we cannot close all the doors. We need to expect a breach. If there is a breach or attempt there should be way to identify it quick as possible and prevent it.

Microsoft is maintaining Active Directory more than 20 years. Microsoft now also have Azure Active Directory. Every day they collect massive amount of security events related to active directory from many different sources. They used these data to build Microsoft Advanced Threat Analytics. It is a simple tool which can identify Active directory infastrcure security threats in early stage and notify engineers about it.

OMS or ATA ?

Microsoft Operation Management Suite also have modules such as AD Assessment, Security and Audit which uses Microsoft Security Graph to identify Active Directory infastrcure threats. OMS not only audit AD activities, it also evaluates existing Active Directory infastrcure setup and provide guidelines to improve it. All these recommends are based on Microsoft security and deployment best practices. OMS also can integrate with Azure Automation to automate operation tasks. It allows engineers to attach a runbook to an alert. In ATA it is only detect and report the problem but it will not take any action about it. I am not saying any of them can replace the other one. Both have different capabilities and its up to you to choose the best one for your environment.

What ATA can detect?

Things that ATA can detect can categorize under 3 areas.

Malicious attacks

  • P ass-the-Ticket (PtT)
  • Pass-the-Hash (PtH)
  • Overpass-the-Hash
  • Forged PAC (MS14-068)
  • Golden Ticket
  • Malicious replications
  • Reconnaissance
  • Brute Force
  • Remote execution
  • Malicious DPAPI

Abnormal behavior

  • Anomalous logins
  • Unknown threats
  • Password sharing
  • Lateral movement

Security issues and risks

  • Broken trust
  • Weak protocols
  • Known protocol
  • Vulnerabilities

ATA Components

ATA Center – ATA center is the operation center. It receives information from ATA gateways and display the detected events in web interface. using ATA center, we also can setup administrators, configure email alerts settings, check the status of connection to gateways. It also can manage the update settings for the gateways.

ATA Gateway – ATA Gateway monitors the traffic which comes to Active Directory Servers. it uses port mirroring technology for it. captured data will passed in to ATA center for evaluation.

ATA Lightweight Gateway – This is the easiest method which can use to install ATA gateway. This component can directly install in Active Directory Domain Controller. However, it will increase the resource usage of the domain controller.

ATA Deployment

There are three ways to deploy ATA,

Using only ATA Gateways – In this deployment mode separate ATA gateways will be used. Domain controllers network ports need to mirror to ATA gateways servers so they can capture the traffic. this is the most reliable method as it will not make any impact on active directory domain controller performance.

Using only ATA Lightweight Gateways – This is most cost effective method of deployment. It will not require separate server and component will be directly install on Domain Controller. It also not required any network layer changes. Only requirement will be to increase the RAM and CPU for the Domain Controller.

Using both ATA Gateways and ATA Lightweight Gateways – In this method, both gateway types will be used. This is ideal deployment mode for branch office environment. In branch office, we can use ATA Lightweight Gateways as it monitor relatively lower traffic.

ata-architecture-topology (1)

Image source : https://docs.microsoft.com/en-gb/advanced-threat-analytics/plan-design/media/ata-architecture-topology.jpg

ATA Prerequisites

  1. ATA center need minimum of Windows server 2012 R2 with latest updates. Recommended at least 4 GB and 2 CPU.
  2. ATA center need to two IP addresses
  3. ATA Lightweight Gateway need minimum of Windows server 2012 R2 with latest updates. Recommended at least 6 GB and 2 CPU.
  4. SSL Certificate for ATA center and gateways. If there is no valid certificate (such as wild card or certificate from internal CA) we can still use self-signed certificate.

Now we have everything ready for the ATA deployment. In next part of this post, I will walk you through the deployment steps.

Hope this was helpful and if you have any question feel free to contact me on rebeladm@live.com

Step-By-Step Guide to enable Advanced Security Audit Policy: DS Access

More than any other system active directory in an organization important in security perspective. Even a small change in Organization’s AD can cause a major business impact. Preventing any unauthorized access, unplanned change in AD environment should prevent in first place but if similar thing happened in your AD environment you should have enough information to answer questions such as what has changed?, when it happened and who did it ?

As you know the computer security threats are changing every day, sometime the default event logs may not help to answer above questions.  Microsoft understand these modern requirements and with windows 2008 R2 they introduce “Advanced Security Audit Policy”. This give you 53 options to tune up the auditing requirement and you can collect more in granular level information about your infrastructure events.  It is have 10 categories and in this demo I am going to talk about the “DS Access” category which is focused on Active Directory Access and Object Modifications.

ds1

Advanced Security Audit Policy is need to enable via GPO. These events happens records on Domain controllers.  There for the policy should only target the Domain Controllers. This can enabled on “Default Domain Controllers Policy” in AD.

Let’s see how to enable this GPO setting.

In my Demo I am using AD server with Windows 2016 TP4.
1)    Log in to the Server as Domain Admin
2)    Load Group policy management editor using Server Manager > Tools > Group Policy Management
3)    Expand the Domain Controllers OU, then right click on Default Domain Controllers Policy and edit.

ds2

4)    Go to Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > DS Access

ds3

There are 4 subcategories under DS Access. Let’s see what each and subcategory capable of.

Audit Detailed Directory Service Replication

This security policy setting can be used to generate security audit events with detailed tracking information about the data that is replicated between domain controllers. This audit subcategory can be useful to diagnose replication issues.

If its enabled following events will be appear in logs
 

Event ID

Event message

4928

An Active Directory replica source naming context was established.

4929

An Active Directory replica source naming context was removed.

4930

An Active Directory replica source naming context was modified.

4931

An Active Directory replica destination naming context was modified.

4934

Attributes of an Active Directory object were replicated.

4935

Replication failure begins.

4936

Replication failure ends.

4937

A lingering object was removed from a replica.

Audit Directory Service Access

This security policy setting determines whether the operating system generates events when an Active Directory Domain Services (AD DS) object is accessed.
These events are similar to the Directory Service Access events in previous versions of Windows Server operating systems.

If its enabled following events will be appear in logs

Event ID

Event message

4662

An operation was performed on an object.

Audit Directory Service Changes

This security policy setting determines whether the operating system generates audit events when changes are made to objects in Active Directory Domain Services (AD DS). The types of changes that are reported are:
•    Create
•    Delete
•    Modify
•    Move
•    Undelete
Directory Service Changes auditing, where appropriate, indicates the old and new values of the changed properties of the objects that were changed.

If its enabled following events will be appear in logs

Event ID

Event message

5136

A directory service object was modified.

5137

A directory service object was created.

5138

A directory service object was undeleted.

5139

A directory service object was moved.

5141

A directory service object was deleted.

Audit Directory Service Replication

This security policy setting determines whether the operating system generates audit events when replication between two domain controllers begins and ends.

If its enabled following events will be appear in logs

Event ID

Event message

4932

Synchronization of a replica of an Active Directory naming context has begun.

4933

Synchronization of a replica of an Active Directory naming context has ended.

According to Microsoft best practices https://technet.microsoft.com/en-us/library/dn487457.aspx i am going to enable

Audit Directory Service Access
Audit Directory Service Changes

Sub categories for both success and failure events. To do that double click on each subcategory and enable audit events.

ds4

ds5

ds6

After GPO apply now I can see the new events under logs. For testing I added new GPO under IT OU and in logs I can see the detail info about the activity.

ds7

If any question about the post feel free to ask me on rebeladm@live.com