xct's notes
Active Directory

Best Practices

    limit login of DAs to DCs only
    never run a service with DA privileges
    check out temporary group memberships (Can have TTL)
    disable account delegation for sensitive accounts (in ad usersettings)

Windows events

Golden Ticket

    4624: Account Logon
    4634: Account Logoff
    4672: Admin Logon (should be monitored on the dc)
Get-WinEvent -FilterHashtable @{Logname='Security';ID=4672} -MaxEvents 1 |Format-List -Property *

Skeleton Key

    7045: A Service was installed in the system.
    4673: Sensitive Privilege user (requires audit privileges)
    4611: Trusted logon process has been registered with the Local Security Authority (requires audit privileges)
Get-WinEvent -FilterHashtable @{Logname='System';ID=7045} | ?{$_.message -like "*Kernel Mode Driver*"}


    4657: Audit creating/Change of HKLM:\System\CurrentControlSet\Control\Lsa\DsrmAdminLogonBehaviour

Malcious SSP

    4657: Audit/creation of HKLM:\System\CurrentControlSet\Control\Lsa\SecurityPackages


There are no mitigations for kerberoasting so make sure the service accounts that have an spn associated have strong passwords and are changed regularly.
    4769: A Kerberos ticket as requested, Filter: Name != krbtgt, does not end with $, not [email protected], Failure code is 0x0 (success), ticket encryption is 0x17 (rc4-hmac)

ACL Scan

    4662: Operation was performed on an object
    5136: directory service object was modified
    4670: permissions on an object were changed

Forest Trust Attacks

    Enable SID Filtering
    Enable Selective Authentication (access between forests not automated)

Advanced Threat Analytics

    Traffic for DCs is mirrored to ATA Sensors (or installed on dc as service), activity profile is build
    Collects 4776 (credential validation of a user) to detect replay attacks, detects behavioral anomalies
    Detects: account enumeration, netsession enumeration, Brute Force, exposed cleartext credentials, honey tokens, unusual protocols, credential attacks (pth,ptt,ticket replay)
    Will NOT detect non existent users for golden ticket
    Detects DCSync, but not DCShadow


    Centralized password storage with periodic randomization, stored in computer objects in fields mc-mcsAdmPwd (cleartext), ms-mcs-AdmPwdExperiationTime

Device Guard

    Hardens against malware
    Run trusted code only, enforced in Kernel and Userspace (CCI, UMCI, KMCI)
    UEFI SEcure Boot protects bios and firmware

Procted Users Group

    Cannot use CredSSP & Wdigest (no more cleartext creds)
    NTLM Hash not cached
    Kerberos does not use DES or RC4
    Requires at least server 2008, need to test impact, no offline sign-on (no caching), useless for computers and service accounts

Privileged Administrative Workstations

    Use hardened workstation for performing sensitive tasks

Layered architecture

    Tier0: Domain Admins/Enterprise Admins
    Tier1: Significant Resource Access
    Tier2: Administrator for Workstations / Support etc.

Red Forest

    ESAE Enhanced Security Admin Environment
    Dedicated administrative forest for managing critical assets (forests are security boundaries)
Last modified 1yr ago