Recovering Active Directory

Welcome to the last content of the year. It seems ironic that I will close this year with Active Directory, but I also mentioned AD Misconfigurations errors in my previous article. That’s why it was nice to continue. I wish you pleasant reading.

Now, in this article, our attention turns to the vulnerabilities present in Active Directory, strategies for recovering a compromised Active Directory domain controller, and proactive measures aimed at thwarting hacking endeavors. Additionally, we will explore the Active Directory Red Architecture, which plays a pivotal role in executing operating system hardening, along with benchmarks specifically tailored for the server environment.

Content Purposes

• Prompt responses following a system infection.
• Recognizing attack patterns and proficiently pinpointing the infection vector.
• Fundamentals of the recovery process.
• Typical misconfigurations often overlooked by domain administrators.
• Steps to be taken post-recovery for comprehensive security.

I used the Tryhackme Recovering Active Directory room to stick to a flow while explaining and to make applications.

I will be using Windows Server 2019 serving a compromised domain controller throughout the application. We assume that the hackers somehow got access to the domain controller on Apr 10, 2023, and now creating additional accounts, modifying group policies, and disrupting essential services of our network.

Let’s begin.

First, I start by entering the Windows machine that tryhackme created for me and checking the Server Backup.

The primary objective for hackers is to establish persistent access to the system. Completely removing threat actors from a system is a intricate and time-consuming task; therefore, it is crucial to minimize the attack surface and isolate infrastructure elements (such as servers and objects) that are likely uncompromised. Here is a concise checklist of steps recommended before delving into the recovery process:

Utilize the built-in “Windows Server Backup” utility to create a backup of the compromised AD server. Access it through Run > wbadmin.msc. Analysts will later use this backup for comprehensive malware and threat analysis.
Note: Please refrain from attempting to create a backup in the attached VM.

Restore the trusted backup of the Windows Server. This restoration operation will result in the loss of some data, including AD objects (users, computers, etc.) added to the domain after creating the trusted backup.

Segregate the network and activate the secondary domain controller to provide uninterrupted services to users.

Implement enhanced monitoring and filtering of traffic from the restored AD server to identify any attack patterns at the network level.

Restrict the creation and modification of new user accounts, GPOs, etc., until the recovery process is complete (if feasible).

“Windows Server Local Backup” refers to the local backup processes on a Windows Server operating system. It denotes the procedure where data, files, or system state of a Windows Server system is backed up to a local storage environment on the same physical server.

The Windows Server operating system includes a backup tool called Windows Server Backup. This tool enables system administrators to back up critical data and system states on their servers. Local backup typically encompasses backup processes to a local storage device such as a local hard disk, external disk, or another local storage device on the same server.

Local backup is utilized to prevent data loss, restore system states, and ensure a reliable recovery process. These backups are designed to enhance business continuity by providing quick and on-site restoration capabilities.

When opening the Windows Server Backup screen, if you want to take a backup only once for the server and don’t want this process to be continuous, you proceed by selecting the “Backup Once” option. The “Recover” option is used for restoring from the backup.

And as you can see, here we can view the options for a one-time backup process. Do you want to take a complete backup of the entire server, or is there a specific area you’d like to back up? Where should I store this backup?

And note, it is good practice to isolate the infected network infrastructure for detailed network monitoring.

The Event Viewer serves as an invaluable tool for troubleshooting Windows and application errors. The event log service initiates automatically with the Windows startup, providing detailed insights into all critical events transpiring on your system. This includes instances such as program crashes or encountering the infamous blue screen of death. Further information on Windows services and Telemetry can be explored in the Windows Hardening room.

Events are categorized into Error, Warning, and Information, with key classifications as follows:

Application: Chronicles events pertaining to already installed programs.
System: Logs events associated with system components.
Security: Records events linked to security and authentication.
Accessing the Event Viewer is straightforward; simply type “eventvwr” in the Run dialog.

And if we are talking about Active Directory, we should also mention BloodHound.

BloodHound is an Active Directory (AD) analysis and security tool designed to assess and visualize the security posture of an Active Directory environment. It serves two primary functions:

1. Revealing Hidden Relationships: BloodHound uncovers the often complex and interconnected relationships within an Active Directory, shedding light on permissions, trust relationships, and group memberships that might not be immediately apparent.
2. Determining Attack Paths: The tool can identify and map out potential attack paths or privilege escalation routes within the Active Directory environment. This functionality helps security professionals and administrators understand and mitigate potential security risks.

BloodHound utilizes graph theory to represent and analyze the relationships and permissions within Active Directory. It includes an ingestor called SharpHound, which collects data from various sources within the AD environment, such as computers, groups, and users.

The tool is widely used by security professionals, penetration testers, and system administrators to perform security assessments, identify vulnerabilities, and enhance the overall security of Active Directory infrastructures. It’s important to note that while BloodHound is a legitimate tool for security analysis, it can also be misused if not used responsibly.

https://attack.mitre.org/software/S0521/#:~:text=BloodHound%20is%20an%20Active%20Directory,paths%20within%20an%20AD%20environment

PowerView.ps1 is a PowerShell-based tool used for various security checks and vulnerability detection on the active directory. This tool is used to check for vulnerabilities and malicious activities in the Active Directory (AD) environment.

If you want to perform AD audits using PowerView.ps1, here are some examples:

We can execute PowerView in the attached VM through the following:
Run the command Import-Module C:\Users\Administrator\Desktop\PowerView\pw.ps1 in a PowerShell terminal.
Once the module is imported, we can run various commands like

Get-NetDomainController, which gets information about the domain controller.

List User Group Memberships:

.\PowerView.ps1
Get-NetUser | Get-NetGroup

List Administrator Groups:

.\PowerView.ps1
Get-NetGroup -GroupName *admin*

Review User Activities:

.\PowerView.ps1
Get-NetUser | Get-NetUser -Properties lastlogon

Find Hidden Shares:

.\PowerView.ps1
Get-NetShare -Special $true

Examine Delegation:

.\PowerView.ps1
Invoke-ACLScanner

Find Users with Admin Rights:

.\PowerView.ps1
Find-AdminAccess

I won’t try all of these, I won’t focus on Powershell that much, but for example;

The Get-NetLoggedon command, used within PowerShell, is employed to retrieve NetSession information on a Windows computer. This command lists users currently logged on to a computer and the resources to which these users are connected. This information can be utilized for monitoring active sessions on a network, troubleshooting, or conducting security assessments.

Get-NetComputer: Retrieves information about computers in the network.
Select-Object Name: Filters the output to display only the “Name” property of each computer.
When you run this command, it will list the names of the computers in the network, providing a concise view of computer names without additional details.

Typically, in the event of a domain controller compromise, we can monitor alterations to domain objects such as users, computers, and group policies, discerning intruders’ actions. In many cases, once unauthorized access to the system is secured, hackers commonly engage in activities like generating additional users and modifying group policies.

Tracking the Changes

By monitoring user permissions, object creation dates (such as users), the joining dates of computers, and modifications to group policies, we can effectively track alterations within Active Directory. Employing PowerShell allows us to gain a more comprehensive understanding of the activities unfolding in the AD environment.

Get-ADUser -Filter {((Enabled -eq $True) -and (Created -gt “Monday, April 10, 2023 00:00:00 AM”))} -Property Created, LastLogonDate | select SamAccountName, Name, Created | Sort-Object Created

We can see that the user evil.guy was created after the hacking incident on 12.04.2023.

This script identifies and displays a comprehensive list of all computers that have been added to the Active Directory domain, providing details such as the date of joining and the name of the individual responsible for the addition.

Get-ADComputer -filter * -properties whencreated | Select Name,@{n=”Owner”;e={(Get-acl “ad:\$($_.distinguishedname)”).owner}},whencreated

Examining modifications to group memberships involves reviewing event logs and identifying specific event IDs generated in various scenarios. Here are noteworthy event IDs for this purpose:

• Event ID 4756: Indicates the addition of a member to a universal security group.
• ID 4720: Indicates when a user account is added to a security group.
• Event ID 4757: Signals the removal of a member from a universal security group.
• ID 4726: Signals the removal of a user account from a security group.
• Event ID 4728: Denotes the addition of a member to a global security group.
• ID 4732: Reflects the addition of an account to a service.
• Event ID 4729: Highlights the removal of a member from a global security group.
• ID 4733: Denotes the removal of an account from a service.

To inspect these events, utilize the Event Viewer accessible through the Run command (Run > eventvwr).

If you want, we can go and search for the logs we want, for example, the email address of user evil.guy, from the Security logs here. But I think the easiest is to do this with PowerView. For example:

I want to see the total number of users logged in after Dec 1, 2022.

Get-ADUser -Filter {((Enabled -eq $True) -and (Created -gt “December 01,2022 00:00:00 AM”))} -Property LastLogonDate | select SamAccountName, Name, Created | Sort-Object Created

If we want to track from Event Viewer rather than Powershell, we can filter the event ids as follows and try to find the data we want.

How to Reclaim Control: Domain Takeback

Given the widespread use of Active Directory (AD) in organizations, hackers consistently target systems with perceived vulnerabilities. Consequently, an effective Post-Compromise plan must be established to ensure continued service availability and minimize downtime for AD users. The process of recovering an AD system after a compromise is referred to as Domain Takeback.

Steps for the Recovery Plan Key components of this plan may include the following:

1. Resetting Tier 0 Account Passwords: Reset or disable Tier 0 accounts by selecting the appropriate option to enhance security.
2. Identifying Compromised Accounts: Proactively search for potentially compromised or suspicious accounts, and reset their passwords to prevent privilege escalation.
3. Securing the Kerberos Service Account: Change the password for the Kerberos service account to render it unusable for potential attackers.
4. Resetting Administrative Privilege Passwords: Reset the passwords for accounts with administrative privileges to mitigate security risks.
5. Utilizing Reset-ComputerMachinePassword: Employ the PowerShell command “Reset-ComputerMachinePassword” to perform reset operations for computer objects within the domain.
6. Securing the Domain Controller Machine: Reset the password for the domain controller machine to prevent potential abuse of silver tickets. Further insights into different types of Kerberos-based attacks can be found here.
7. Leveraging Domain Controllers for Protection and Recovery: Configuring a writable domain controller (DC) as a backup for a compromised one allows for restoration to avoid disruptions. Caution is advised during this step to avoid restoring an instance of a compromised DC.
8. Conducting Malware Analysis: Perform a thorough analysis of any targeted domain controller server to identify and mitigate potential threats posed by malicious scripts.
9. Verifying for Persistent Access: Confirm that the attacker has not added any scheduled tasks or startup applications for sustained access. Accessing the task scheduler can be accomplished through Run > taskschd.msc.

Examine event logs, Access Control Lists (ACLs), and group policies meticulously to detect any potential alterations. At the network level, implement traffic filtering for both inbound and outbound traffic to identify Indicators of Compromise (IOC); this action is typically orchestrated at the Security Operation Center (SOC) level.

Numerous tools designed for Active Directory (AD) protection and risk assessment, such as Ping Castle, are at your disposal for conducting audits and pinpointing potential vulnerabilities within the AD environment. Additionally, consider forwarding logs to Security Information and Event Management (SIEM) solutions like Wazuh and Splunk to facilitate in-depth network analysis.

For example: Reset the password for the user evil.guy.

Active Directory Users and Computers>Action>Find>(Name:evil.guy)> Reset Password

Why did it happen? Common Misconfigurations

Misconfigured servers, clients, and applications can create vulnerable entry points for potential exploitation by attackers. In the AD hardening context, we’ve explored common attacks and mitigation strategies. Here are additional vulnerabilities often overlooked by system administrators:

1. Boot Source in BIOS: Improperly configured BIOS boot orders can provide attackers with an opportunity to compromise servers by booting from unauthorized devices and changing login passwords. Mitigate this risk by configuring the BIOS to disallow booting from CD/DVD, external devices (USB), or floppy drives.
2. AD Server Administrator Group Members: Managing user access to workstations is a significant challenge in AD environment hardening. By default, all members of the Domain Users group have the ability to log into any workstation in the AD. To address this, administrators should implement preventive measures to restrict users who can log in locally on computers with privileged access or domain controllers. This can be achieved through the “Allow log on locally” policy. To enable this policy:

• Access the group policy by entering gpedit.msc in the Run dialog.
• Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment.
• Double-click on “Allow log on locally” to select specific users or groups permitted to log in to the domain controller.

Weak Passwords: Attackers lacking access rights in the environment can compromise AD accounts by exploiting weak passwords through dictionary or brute force attacks. Assessing your organization’s vulnerability to such threats is crucial. Tools like Mimikatz, including features like DCSync attack, can extract credentials, such as the NTLM password hash or plaintext password, posing a significant security risk. Effective prevention strategies and awareness of Kerberos-based attacks are essential.

Enhancing Security Against DCSync Attacks: The DCSync attack allows an attacker to mimic a domain controller, acquiring requests on behalf of that controller. Preventing DCSync attacks involves identifying accounts with replication permissions in the domain. Since attackers can execute this attack without logging into the domain controller, robust network monitoring becomes pivotal. In the event of detecting a DCSync attack, promptly disabling the compromised account is crucial to prevent privilege escalation and restrict the attacker’s capacity to make network changes through Group Policy Objects.

Permissions for Scripts and Applications on Workstations: Allowing domain clients to run unauthorized scripts or applications exposes the network to potential exploitation. Attackers can enumerate the entire network and execute exploits based on vulnerabilities in target systems. Malware often utilizes command prompts, PowerShell, and batch files. Implementing restriction policies on scripts and applications is a fundamental defense against various cyber threats targeting AD servers.

Post Recovery Actions

After recovering the domain controller, it is imperative to develop a comprehensive incident response plan to identify vulnerabilities that allowed unauthorized access. Here are key actions to take post-recovery:

Policy Decisions:

Formulate a detailed cybersecurity plan aligned with international frameworks like NIST.
Establish a disaster management policy to prevent future attacks.
Conduct a thorough cybersecurity audit of the infrastructure to pinpoint the infection vector and determine the root cause.
Ensure logging from all servers, computers, and network devices is maintained and directed to a reputable Security Information and Event Management (SIEM) solution.
Domain Controller:

Permanently add rules in SIEM to block command and control (C2) domains and IP addresses used by attackers.
Patch all vulnerable systems to prevent exploitation through publicly available exploits.
Conduct comprehensive malware scans on all domain controllers and domain-joined systems.
Upgrade the operating system to the latest version of Windows Server for enhanced security features, including AES encryption and more efficient support for red architecture.
Remove file shares on domain controllers.
Disable the use of removable media on host computers to prevent malware propagation.
Backups:

Ensure redundant domain controllers are in a high-availability layout.
Implement automated backup and recovery mechanisms.
Regularly verify trusted backups to validate integrity.
Implementation of CIS Benchmarks:

Recognize the need for advanced security policies for critical systems exposed to the external world.
Utilize Center for Internet Security (CIS) benchmarks for securing computer systems, downloading them based on the operating system.
Apply necessary configuration changes at user and server levels as per CIS benchmarks.
Consider organization-specific requirements before deploying these hardening measures at the user/server level.

Reference:

• https://powersploit.readthedocs.io/en/latest/#recon
• https://learn.microsoft.com/en-us/security/privileged-access-workstations/esae-retirement
• https://www.quest.com/community/blogs/b/microsoft-platform-management/posts/how-to-secure-active-directory-using-the-nist-cybersecurity-framework
• https://www.cisecurity.org/cis-benchmarks
• https://tools.thehacker.recipes/mimikatz/modules/lsadump/dcsync
• https://activedirectorypro.com/powershell-commands/