Öncelikle Group Pollicy üzerinde aşağıdaki ayarlamaları yapmalısınız.
Computer Configuration è Policies è Windows Settings è Security Settings è Advanced Audit Policy Configuration è Audit Policies è DS Access : Audit Directory Service Access (success and failure)
Bloodhound’u çalıştırıldığında AD Security loglarına aşağıdaki gibi loglar düşer.
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 20/08/2019 09:00:29
Event ID: 4662
Task Category: Directory Service Access
Level: Information
Keywords: Audit Success
User: N/A
Computer: dc1.ceyhuncamli.com
Description:
An operation was performed on an object.
Subject :
Security ID: ceyhuncamli\Administrator
Account Name: Administrator
Account Domain: ceyhuncamli
Logon ID: 0x2FA81
Object:
Object Server: DS
Object Type: user
Object Name: CN=canary,CN=Users,DC=ceyhuncamli,DC=com
Handle ID: 0x0
Operation:
Operation Type: Object Access
Accesses: Read Property
Access Mask: 0x10
Properties: Read Property
General Information
sAMAccountType
primaryGroupID
Account Restrictions
userAccountControl
Public Information
objectClass
User
Additional Information:
Parameter 1: –
Parameter 2:
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 20/08/2019 09:00:29
Event ID: 4662
Task Category: Directory Service Access
Level: Information
Keywords: Audit Success
User: N/A
Computer: dc1.ceyhuncamli.com
Description:
An operation was performed on an object.
Subject :
Security ID: ceyhuncamli\Administrator
Account Name: Administrator
Account Domain: ceyhuncamli
Logon ID: 0x2FA81
Object:
Object Server: DS
Object Type: user
Object Name: CN=canary,CN=Users,DC=ceyhuncamli,DC=com
Handle ID: 0x0
Operation:
Operation Type: Object Access
Accesses: Read Property
Access Mask: 0x10
Properties: Read Property
User
Public Information
cn
distinguishedName
Group Membership
member
General Information
primaryGroupID
objectSid
sAMAccountName
sAMAccountType
dNSHostName
dNSHostName
Additional Information:
Parameter 1: –
Parameter 2:
Bloudhount tespiti için oldukça iyi sonuç veren bir Splunk araması (60 dakikalık periyotlarla çalıştırılabilir.)
index=winevent_sec EventCode=4662 Accesses=”Read Property”
| rex field=_raw “(?<PropertiesLIST>(?s)(?<=Properties:).+?(?=Additional))”
| eval PropertiesLIST=replace(PropertiesLIST, “[\n\r]”,”;”)
| makemv delim=”;” PropertiesLIST
| stats count values(PropertiesLIST) as PropertiesLIST by user
| eval propertyLen=mvcount(PropertiesLIST)
| where propertyLen=16
| search (PropertiesLIST=”*User*” AND
PropertiesLIST=”*Public Information*” AND
PropertiesLIST=”*cn*” AND
PropertiesLIST=”*distinguishedName*” AND
PropertiesLIST=”*Group Membership*” AND
PropertiesLIST=”*member*” AND
PropertiesLIST=”*General Information*” AND
PropertiesLIST=”*primaryGroupID*” AND
PropertiesLIST=”*objectSid*” AND
PropertiesLIST=”*sAMAccountName*” AND
PropertiesLIST=”*sAMAccountType*” AND
PropertiesLIST=”*dNSHostName*” AND
PropertiesLIST=”*Account Restrictions*” AND
PropertiesLIST=”*userAccountControl*” AND
PropertiesLIST=”*objectClass*” AND
PropertiesLIST=”*Read Property*”)
Yararlanılan Kaynaklar
http://www.stuffithoughtiknew.com/2019/02/detecting-bloodhound.html
https://blog.menasec.net/2019/02/threat-hunting-7-detecting.html