@port139 Blog

基本的にはデジタル・フォレンジックの技術について取り扱っていますが、記載内容には高確率で誤りが含まれる可能性があります。

AD ACL and ADTimeline

Note:I translated Japanese into English using Google Translate.
Thank you, Google.

Change the ACL of the object on AD and check ADTimline. Use AD ACL Scanner as a tool to check the ACL of AD objects.

AD Timeline-FIRST TC Page 22 has an entry for "AD replication metadata vs security event logs". Check the ACL and compare the security log.

Allow the Alice account the rights needed by DCsync. Below, I set up two permissions related to replication.

f:id:hideakii:20190409184859p:plain

Two event ID 5136 were recorded in the security log.

f:id:hideakii:20190409185153p:plain

Run AD ACL Scanner and check the report. I can view the privileges of Alice account.

Two entries, Critical and Warning, are displayed.

f:id:hideakii:20190409185324p:plain

Execute ADTimeline and check "nTSecurityDescriptor". The time is slightly different from security log ID 5136.

f:id:hideakii:20190409185637p:plain

Remove the access rights of Alice account and view the timeline in ADTimeline.

f:id:hideakii:20190409190154p:plain

f:id:hideakii:20190409190341p:plain

On the timeline, the time stamp where I added Alice disappears, and a record of the time stamp where Alice was deleted is displayed.
Interesting :-)

Next, let's change the GPO ACL. Add an Alice account to Delegation.

Default Domain Policy: {31B2F340-016D-11D2-945F-00C04FB984F9}

f:id:hideakii:20190409202311p:plain

Event ID 4662 is recorded in the security log. Two more ID 5136 records are recorded.

f:id:hideakii:20190409202610p:plain

f:id:hideakii:20190409202905p:plain

Check the ACL of Default Domain Policy {31B2F340-016D-11D2-945F-00C04FB984F9}. I can discover the privileges of Alice account.

f:id:hideakii:20190409203209p:plain

Check the timeline. The timestamp is the same as event ID 4662.
f:id:hideakii:20190409203427p:plain

Remove the access rights of Alice account that I added earlier from the GPO.

f:id:hideakii:20190409204033p:plain

In the security log, ID 4662 and ID 5136 are recorded.

f:id:hideakii:20190409204213p:plain

Create a timeline and compare it with the timestamps in the security log.

f:id:hideakii:20190409204553p:plain

 

Next, allow AdminSDHolder full control of Bob's account. (This change is the result of a previous test with DCshadow.)

This setting allows access by Bob account to Domain Admins group etc.

f:id:hideakii:20190408190032p:plain

Let's check the ACL. The report shows that Bob's account has full control.

f:id:hideakii:20190408190726p:plain

Execute ADTimeline and search AdminSDHolder to find out the following events.

ftimeLastOriginatingChange : 2019-04-08T11:28:47Z
Name : AdminSDHolder
pszAttributeName : nTSecurityDescriptor
ObjectClass : container
DN : CN=AdminSDHolder,CN=System,DC=example,DC=local
ObjectCategory : CN=Container,CN=Schema,CN=Configuration,DC=example,DC=local
SamAccountName :
dwVersion : 4
WhenCreated : 2019-01-20 19:19:55Z
Member :
ftimeCreated :
ftimeDeleted :
SID :
pszLastOriginatingDsaDN : CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configur
ation,DC=example,DC=local
uuidLastOriginatingDsaInvocationID : c9e22352-ca47-436a-aeb2-38228298896d
usnOriginatingChange : 114772
usnLocalChange : 114772

 

Next,
Change the security of Bob account. Change Owner to Bob and set Deny to Everyone.

f:id:hideakii:20190408191141p:plain

If try to view Bob's account security information, it will be denied.

f:id:hideakii:20190408191331p:plain

Scan the ACL again and view the report. I can see the permissions granted to Bob account, but the report does not include information about the Bob account itself.

f:id:hideakii:20190408194251p:plain

f:id:hideakii:20190408194334p:plain

 

Reference URL:

github.com

blog.stealthbits.com

An ACE Up the Sleeve:Designing Active Directory DACL Backdoors
https://specterops.io/assets/resources/an_ace_up_the_sleeve.pdf

 

f:id:hideakii:20190408185039j:plain