21. Detection and Defense

# 21. Detection and Defense - Look for flow of credentials and privileges in your enviroment - Log events and most important, monitor the logs - Purple Teaming - Work culture and Architectural Changes ## Detection and Defense - Domain Admins - Do not allow or limit login of DAs to any other machine other than the Domain Controllers. If logins to some servers is necessary, do not allow other administrators to login to that machine. - (Try to) Never run a service with a DA. Many credential theft protections which we are going to discuss soon are rendered useless in case of a service account. - Check out Temporary Group Membership! (Requires Privileged Access Management Feature to be enabled which can't be turned off later) Se agrega un usuario llamado newDA al grupo 'Domain Admins' durante 20 minutos ``` Add-ADGroupMember -Identity 'Domain Admins' -Members newDA -MemberTimeToLive (New-TimeSpan -Minutes 20) ``` Lo anterior puede otorgar permisos de algún grupo de manera temporal, la función requiere de privilegios. ## Golden Ticket - Some important Event ID - Event ID 4624: Account Logon 4672: Admin Logon ``` Get-WinEvent -FilterHashtable @{Logname='Security';ID=4672} -MaxEvents 1 | Format-List -Property * ``` ## Silver Ticket - Event ID 4624: Account Logon 4634: Account Logoff 4672: Admin Logon ``` Get-WinEvent -FilterHashtable @{Logname='Security';ID=4672} -MaxEvents 1 | Format-List -Property * ``` ## Skeleton Key - Events System Event ID 7045 - A service was installed in the system.(Type Kernel Mode Driver) - Events("Audit privilege use" must be enabled) Security Event ID 4673 - Sensitive Privilege Use Event ID 4611 - A trusted logon process has been registered with the Local Security Authority ``` Get-WinEvent -FilterHashtable @{Logname='System';ID=7045} | ?{$_.message -like "*Kernel Mode Driver*"} ``` - Not recommended(detects only stock mimidrv): ``` Get-WinEvent -FilterHashtable @{Logname='System';ID=7045} | ?{$_.message -like "*Kernel Mode Driver*" -and $_.message -like "*mimidrv*"} ``` - Mitigation Running lsass.exe as a protected process is really handy as it forces an attacker to load a kernel mode driver. Make sure that you test it thoroughly as many drivers and plugins may not load with the protection. ![](https://i.imgur.com/9O0cQru.png) ## DSRM ![](https://i.imgur.com/GIVBJfO.png) ## Malicious SSP ![](https://i.imgur.com/weCBPWk.png) ## Kerberoast ![](https://i.imgur.com/gYDkqRT.png)