In previous article , we talked about how to build Detection Chart using MITRE ATT&CK Framework. In this article, we will leverage those detection charts to help guide us prioritize as to which TTPs , we should build detection for. This is what sample detection chart looks like.
As discussed in the previous article, detection for TTPs fall into following categories
- Irrelevant : This TTPs would not be applicable to our environment
- Not Detected : Relevant but not detecting this TTP at all
- Somewhat Detected : Relevant and TTP is detected but not its variations
- Detected : Relevant , TTP and all its known variations are detected.
For Purple Team Exercise, we need to focus on TTPs that either in category “Not Detected” or “Somewhat Detected”. For the purpose of this article, we will focus on how to conduct purple team exercise for T1003 ( Credential Access ). Further , we would talk about challenges and potential solutions to resolve them. We would also talk about potential bypasses of the built detections.
What is T1003?
T1003, Credential Access is one of the most abused TTP out there. In a windows environment, it is very common to see an attack cycle of pass the hash , run mimikatz , rinse and repeat until you get domain admin. Following tools have abused lsass for years until detection finally caught up and made it harder to use those tools.
A lot of this tools are now caught by AV, EDR Tools if you download it without packing them with tools such as veil framework , Themida etc. And Even if you do pack these tools , they get caught during run-time since they rely on accessing SAM files using in-memory techniques ( a.k.a. accessing lsass ). This is mostly because EDR tools look for white listed set of processes that should access lsass and without changing process name / id , none of processes spawned by these tools would be in the white list.
However, for this article we have a more specific agenda, detecting one of the most abused ( and every attacker’s most favorite ) TTP , DcSync. This is a very specific technique when the attacker has domain admin privilege. What makes this technique so dangerous is that all the hashes go out the window including krbtgt hash which allows attacker to forge golden tickets.
So What is DcSync ? When attacker has domain admin level privilege, the attacker impersonates a domain controller to replicate objects from other DCs. Mostly the attacker will go after hashes because that is what allows them to get closer to achieving their objective.What makes it hard to detect DcSync is that domain controllers replicate each other all the time. Thus, we have to identify the legitimate replication from illegitimate one.
Purple Team Exercise Made Simple
Now let’s talk about what the purple team exercise for creating detection would look like.
- Investigate what network level artifacts are generated for the TTP.
- Investigate what host level artifacts are generated for the TTP.
- Are those network artifacts getting logged in SIEM ? If not,work with network engineer , SOC analyst to get those logs in the SIEM.
- Are those host artifacts getting logged in SIEM ? If not,work with system administrator , SOC analyst to get those logs in the SIEM.
- Build a query by working with SIEM expert and SOC analyst that triggers detection for that trade-craft. You may end up running the attack couple times for SOC analyst and SIEM expert to observe and build the query for.
- Execute the TTP, Trigger that alert to observer the response from blue team to make sure that the response has adequate investigative steps.
So how does all this translate in the realm of Purple Team Exercise for DcSync. When you run a dcsync attack using compromised domain admin credentials ( i.e. cobaltstrike with pass the hash followed by dcsync ) :
- At Network Level , a GetNCChange Request is made to targeted DC.
- At Host Level, EventId 4662 is generated on the target DC along with EventID 4624 which would give you hostname and accountname being abused.
- At network level , you can use IDS to trap a GetNCChange Request , trigger an alert and send the alert log SIEM.
- At Host Level, on domain controllers you have to enable logging of EventIDD4662 and 4624 , sent it to SIEM.
- Once the required logs are in SIEM , run dcsync couple of times for one account each so as to it does not blow up the logs. Make sure all the required information is getting logged such as target domain controller , account being abused, attacker / victim host responsible for dcsync etc. and have it either baked into a query or as a part of investigative steps.
- Trigger the dcsync alert ( yourself if you have domain admin privilege , whitecard it if you don’t ) and observe the response to make sure that SOC analysts working the alert can identify key things such as target domain controller , account being abused, attacker / victim host responsible for dcsync.
There is one more thing that I did not mention in the steps above and that is , dcsync is an abuse of legitimate domain controller characteristic : replication of AD objects. Thus, you would have to tune out the domain controllers from the alerts that have been built , otherwise it will blow up the alert notifications.
Challenges and Bypasses
In this section , we will talk about challenges of building detection and bypasses of those detections. Because, if building detection was as easy as six steps I mentioned above , red teams ( and actual attackers ) would never succeed.
At network level , the detection only works if all of the traffic going to DC passes through the IDS. Not all the networks are designed in a way that all traffic going to DC passes through IDS meaning there are some subnet from which IDS would miss dcsync. So you may be looking at a project of placing extra IDS in places in network where there are visibility gaps which means extra resources to manage the IDS , more budget etc.
The challenges we would run into host level detection can be related to the fact that at most organization domain controllers are touched by different teams which can cause issues. For Example,
- even though the sysadmin enables logging for EventID 4662 , you don’t see any logs because some old GPO is overriding the newly created GPO for EventID 4662.
- You may also run into issue such as domain controller runs out of resources since there are so many logs being generated.
This are all the relatively painful but solvable challenges. HOWEVER , the biggest caveat here is we have to tune out domain controllers for the alert which means if the attacker has krbtgt hash , the attacker can impersonate a domain controller using golden ticket and bypass the detection.
Also , should I mentioned we are just talking about dcsync, one of many ways to execute T1003 ? we have not touched any other techniques at all. This is why building detection is hard. It requires knowledge of exactly what artifacts to look for , collaboration between different teams , hard work and in this specific case reading boring Microsoft articles about event IDs. It can be painful but once you get a hang of it , it becomes fun. It gives you better understanding of your tradecrafts as a red teamer. Last but not the least, it is priceless to know how you can bypass the detections you help built.
Purple Team Exercise improves the red team since they understand what IOCs the tradecrafts generate and it improves the blue team since they would understand how the attack works and what IOCs to look for.
Other teams involved such as system administrator or network engineer get insight into the mind of attacker. They get a better understanding of the importance of certain logs being fed into SIEM. In future if index of those logs is not getting data , they would know what is at stake if a dcsync alert is missed.
We simply can’t underestimate the role of detection chart as the guide. As you can see , this exercises can be taxing and requires help from different teams. Thus, it becomes very important to work through TTPs that are relevant and high priority.
In the end, targeted and collaborative approach will improve the overall security posture of the organization. While this article uses DcSync as an example for purple team exercise , the steps mentioned would be applicable for most TTPs.