@port139 Blog

基本的にはデジタル・フォレンジックの技術について取り扱っていますが、記載内容には高確率で誤りが含まれる可能性があります。

Active Directory and When-Changed (2)

Note:I translated Japanese into English using Google Translate.
Thank you, Google.

Summary:

  • I got some comments on Twitter about the previous contents. So I did a simple test using DCshadow.
  • Updates of SIDHistory etc. are explained in detail on the DCshadow web.
    I have not tried anything new in this blog. 
  • I tried creating a timeline using ADTimeline.

 ----------

[Note]Please be aware that the verification method not be sufficient.

Check the properties of "Alice", "SIDhistory" is not set.

f:id:hideakii:20190203195541j:plain

Using DCshadow, set "SIDhistory" to Alice.

f:id:hideakii:20190203201003j:plain

A value has been set for Alice's SIDHistory and "whenChanged" has been updated. The attribute of Alice has changed, but event ID 4738 is not recorded.

f:id:hideakii:20190203201225j:plain

Using PowerShell, delete Alice's SIDhistory.

Set-ADUser -Identity alice -Remove @{SIDHistory='S-1-5-21-1490397982-2793378994-64436834-500'}

f:id:hideakii:20190203202228j:plain

This operation which does not use DCshadow can be confirmed by event ID 4738.

f:id:hideakii:20190203202627j:plain

Use DCshadow to set the time stamp for whenChanged.

f:id:hideakii:20190203204451j:plain

You can confirm that the time stamp specified in "whenChanged" is set.

f:id:hideakii:20190203204533j:plain

If an attacker did not change the timestamp of whenChanged, can I track updates that are not recorded in the event log?


I tried ANSSI-FR/ADTimeline. I just ran the script and I am not used to this timeline format yet.

f:id:hideakii:20190203211938j:plain

I was able to check the timestamp of the record that deleted sIDHistory on the timeline.(This operation is recorded in the event log)
However, I could not find an update of sIDHistory by DCshadow.

f:id:hideakii:20190203212207j:plain

The sample ADtimeline that I created can be downloaded from here.

I will continue testing.

 

Verification environment: Windows Server 2019 1809, Windows 10 1809, Time zone UTC

Reference URL:

docs.microsoft.com

www.dcshadow.com

github.com

https://www.ssi.gouv.fr/uploads/2019/01/anssi-coriin_2019-ad_timeline.pdf

 

f:id:hideakii:20190203194853j:plain