Active Directory and When-Changed (2)
Note:I translated Japanese into English using Google Translate.
Thank you, Google.
Summary:
- I got some comments on Twitter about the previous contents. So I did a simple test using DCshadow.
- Updates of SIDHistory etc. are explained in detail on the DCshadow web.
I have not tried anything new in this blog. - I tried creating a timeline using ADTimeline.
----------
[Note]Please be aware that the verification method not be sufficient.
Check the properties of "Alice", "SIDhistory" is not set.
Using DCshadow, set "SIDhistory" to Alice.
A value has been set for Alice's SIDHistory and "whenChanged" has been updated. The attribute of Alice has changed, but event ID 4738 is not recorded.
Using PowerShell, delete Alice's SIDhistory.
Set-ADUser -Identity alice -Remove @{SIDHistory='S-1-5-21-1490397982-2793378994-64436834-500'}
This operation which does not use DCshadow can be confirmed by event ID 4738.
Use DCshadow to set the time stamp for whenChanged.
You can confirm that the time stamp specified in "whenChanged" is set.
If an attacker did not change the timestamp of whenChanged, can I track updates that are not recorded in the event log?
I tried ANSSI-FR/ADTimeline. I just ran the script and I am not used to this timeline format yet.
I was able to check the timestamp of the record that deleted sIDHistory on the timeline.(This operation is recorded in the event log)
However, I could not find an update of sIDHistory by DCshadow.
The sample ADtimeline that I created can be downloaded from here.
I will continue testing.
Verification environment: Windows Server 2019 1809, Windows 10 1809, Time zone UTC
Reference URL:
https://www.ssi.gouv.fr/uploads/2019/01/anssi-coriin_2019-ad_timeline.pdf