@port139 Blog

基本的にはデジタル・フォレンジックの技術について取り扱っていますが、記載内容には高確率で誤りが含まれる可能性があります。

Active Directory and ADTimeline(1)

Note:I translated Japanese into English using Google Translate.
Thank you, Google.

 Summary:

  • I added PC 1 to the example domain, but I could not find it on ADTimeline timeline.
  • I created an Alice account and added it to the Domain Admins group. Creating an Alice account and updating adminCount was confirmed on the timeline.
  • Removed Alice account from Domain Admins. In the timeline, records related to Domain Admin were recorded.
  • I created a Bob account in the Example domain, and then deleted the Bob account.

 ----------

[Note]Please be aware that the verification method not be sufficient.

Continuing from last week, I would like to check what can be investigated by using ADTimeline.

In the test environment there are two computers DC1(Windows Sever 2019) and PC1(Windows 10 1809). Please note that there is only one DC, I have not tested the case where there are multiple DCs. ADTimeline is running on DC1.

 

Add PC1 to domain Example. 

f:id:hideakii:20190210102413p:plain

In the output of ADTimeline, the corresponding record could not be found. Whether changes to computer accounts will be recorded will be tested separately in the future.

 

Next, create an Alice account on the Example domain.

f:id:hideakii:20190210102719p:plain

The record when Alice was created could be confirmed on ADTimeline.

ftimeLastOriginatingChange : 2019-02-10T10:26:12Z
Name : Alice
pszAttributeName : primaryGroupID
ObjectClass : user
DN : CN=Alice,CN=Users,DC=example,DC=local
ObjectCategory : CN=Person,CN=Schema,CN=Configuration,DC=example,DC=local
SamAccountName : alice
dwVersion : 1
WhenCreated : 2019-02-10 10:26:12Z
Member :
ftimeCreated :
ftimeDeleted :
SID : S-1-5-21-1490397982-2793378994-64436834-1104
pszLastOriginatingDsaDN : CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configur
ation,DC=example,DC=local
uuidLastOriginatingDsaInvocationID : c9e22352-ca47-436a-aeb2-38228298896d
usnOriginatingChange : 24624
usnLocalChange : 24624


Add the Alice account to the "Domain Admins" group.

f:id:hideakii:20190210103031p:plain

In the output of ADTimeline, I could not find a record that added Alice to the "Domain admins" group.

When you add the Alice account to the Domain Admins group, Alice's "adminCount" is updated. You can check that record with the output of ADTimeline.

ftimeLastOriginatingChange : 2019-02-10T10:34:41Z
Name : Alice
pszAttributeName : adminCount
ObjectClass : user
DN : CN=Alice,CN=Users,DC=example,DC=local
ObjectCategory : CN=Person,CN=Schema,CN=Configuration,DC=example,DC=local
SamAccountName : alice
dwVersion : 1
WhenCreated : 2019-02-10 10:26:12Z
Member :
ftimeCreated :
ftimeDeleted :
SID : S-1-5-21-1490397982-2793378994-64436834-1104
pszLastOriginatingDsaDN : CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configur
ation,DC=example,DC=local
uuidLastOriginatingDsaInvocationID : c9e22352-ca47-436a-aeb2-38228298896d
usnOriginatingChange : 24647
usnLocalChange : 24647

<2019/02/11 add>

Traces of adding Alice to the Domain Admins group. I missed that timestamp, thank you for the comment!

ftimeLastOriginatingChange : 2019-02-10T10:38:49Z
Name : Domain Admins
pszAttributeName : member
ObjectClass : group
DN : CN=Domain Admins,CN=Users,DC=example,DC=local
ObjectCategory : CN=Group,CN=Schema,CN=Configuration,DC=example,DC=local
SamAccountName : Domain Admins
dwVersion : 2
WhenCreated : 2019-01-20 19:20:35Z
Member : CN=Alice,CN=Users,DC=example,DC=local
ftimeCreated : 2019-02-10T10:28:38Z
ftimeDeleted : 2019-02-10T10:38:49Z
SID : S-1-5-21-1490397982-2793378994-64436834-512
pszLastOriginatingDsaDN : CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configur
ation,DC=example,DC=local
uuidLastOriginatingDsaInvocationID : c9e22352-ca47-436a-aeb2-38228298896d
usnOriginatingChange : 24648
usnLocalChange : 24648

Metadata #2 – The ephemeral admin, or how to track the group membership – Once upon a case…

ftimeCreated the time when the member has been added for the first time.

<2019/02/11 /add>

 

Log on to PC1 with "example\Alice" account.

f:id:hideakii:20190210103545p:plain

In the output of ADTimeline, related records could not be found.

 

Remove the Alice account from the "Domain Admins" group.

f:id:hideakii:20190210104001p:plain

In the output of ADTimeline you can see the records related to Domain Admins.

ftimeLastOriginatingChange : 2019-02-10T10:38:49Z
Name : Domain Admins
pszAttributeName : member
ObjectClass : group
DN : CN=Domain Admins,CN=Users,DC=example,DC=local
ObjectCategory : CN=Group,CN=Schema,CN=Configuration,DC=example,DC=local
SamAccountName : Domain Admins
dwVersion : 2
WhenCreated : 2019-01-20 19:20:35Z
Member : CN=Alice,CN=Users,DC=example,DC=local
ftimeCreated : 2019-02-10T10:28:38Z
ftimeDeleted : 2019-02-10T10:38:49Z
SID : S-1-5-21-1490397982-2793378994-64436834-512
pszLastOriginatingDsaDN : CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configur
ation,DC=example,DC=local
uuidLastOriginatingDsaInvocationID : c9e22352-ca47-436a-aeb2-38228298896d
usnOriginatingChange : 24648
usnLocalChange : 24648

 

Log on to PC again with "example\Alice" account. For this logon, Alice is not a member of the Domain Admins group.

f:id:hideakii:20190210104340p:plain

I could not find related records in ADTimeline. 

 

Several items I tested were confirmed with ADTimeline. However, I have not tried other tests, such as deleting users.

I created a Bob account in the Example domain. Then delete the Bob account.

f:id:hideakii:20190210114340p:plain

ftimeLastOriginatingChange : 2019-02-10T02:42:20Z
Name : bob
DEL:36e610eb-61ef-4fb8-9f15-4612be60d2ae
pszAttributeName : accountExpires
ObjectClass : user
DN : CN=bob\0ADEL:36e610eb-61ef-4fb8-9f15-4612be60d2ae,CN=Deleted
Objects,DC=example,DC=local
ObjectCategory :
SamAccountName : bob
dwVersion : 2
WhenCreated : 2019-02-10 02:39:14Z
Member :
ftimeCreated :
ftimeDeleted :
SID : S-1-5-21-1490397982-2793378994-64436834-1105
pszLastOriginatingDsaDN : CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configur
ation,DC=example,DC=local
uuidLastOriginatingDsaInvocationID : c9e22352-ca47-436a-aeb2-38228298896d
usnOriginatingChange : 28709
usnLocalChange : 28709

While testing the Bob account I noticed that the time in the test environment was incorrect. The Bob account will be tested again. 

I will continue testing.

 

Verification environment: Windows Server 2019 1809, Windows 10 1809, Time zone UTC

Reference URL:

github.com

Metadata #0 – Metadata, what is it and why do we care?

blogs.technet.microsoft.com

 

f:id:hideakii:20190210083637j:plain