In the Cyber Trenches: Threat hunting for Windows Authentication Attacks
Threat hunting has developed into one of the more essential functions of mature security establishments – a rare skill that enables them to address gaps in passive
security solutions. But at first, threat hunting can be a daunting endeavor. On our blog Maverc will be frequently dropping content related threat hunting and how to use it to help guide security practitioners. The objective is to help security teams foster the skills and procedures that empower threat hunting. Every article provides an overview of threat hunting concepts and stakes ideas for incorporating threat hunting into security operations. Subsequent content will explore techniques for hunts based on different adversary techniques. Together we can reshape the security landscape by sharing knowledge and best practices on how to protect the world’s data from attack.
Formulating a hypothesis
Threat hunting leads with a hypothesis. Threat hunters may generate a theory founded on external information, such as threat intelligence, blogs, and social media. Internal data and intelligence from past incidents also encourage hypothesis development.
When the team has a hypothesis, they survey various techniques and tactics to uncover artifacts that were left behind. A commonly used tool to help with hypothesis development and investigation is the MITRE ATT&CK™ (adversarial tactics, techniques, and common knowledge) framework. These adversary tactics and techniques are clustered within a matrix and comprise of the following categories:
Initial access—Techniques used by the adversary to obtain a foothold within a network, such as targeted spear-phishing, exploiting vulnerabilities or configuration weaknesses in public-facing systems.
Execution—Techniques that result in an adversary running their code on a target system. For example, an attacker may run a PowerShell script to download additional attacker tools and/or scan other systems.
Persistence—Techniques that allow an adversary to maintain access to a target system, even following reboots and credential changes. An example of a persistence technique would be an attacker creating a scheduled task that runs their code at a specific time or on reboot.
Privilege escalation—Techniques leveraged by an adversary to gain higher-level privileges on a system, such as local administrator or root.
Defense evasion—Techniques used by attackers to evade detection. Evasion techniques include hiding malicious code within trusted processes and folders, encrypting or obfuscating adversary code, or disabling security software.
Credential access—Techniques deployed on systems and networks to steal usernames and credentials for re-use.
Discovery—Techniques used by adversaries to attain information about systems and networks that they are looking to exploit or use for their tactical advantage.
Lateral movement—Techniques that allow an attacker to move from one system to another within a network. Common techniques include “Pass-the-Hash” methods of authenticating users and the abuse of the remote desktop protocol.
Collection—Techniques used by an adversary to gather and consolidate the information they were targeting as part of their objectives.
Command and control—Techniques leveraged by an attacker to communicate with a system under their control. One example is that an attacker may communicate with a system over an uncommon or high-numbered port to evade detection by security appliances or proxies.
Exfiltration—Techniques used to transfer data from the compromised network to a system or network fully under control of the attacker.
· Impact—Techniques used by an attacker to effect the availability of systems, networks, and data. Methods in this category would include denial of service attacks and disk- or data-wiping software.
When first developing a threat hunting use case, we look at tactics and techniques mapped to the MITRE ATT&CK framework and associate them to log sources that would yield indicators of that attack. This brings us to the first threat hunting use case Windows Authentication Attacks which places emphases on more detailed tactics, techniques, and procedures (TTPs) that follow MITRE ATT&CK framework.
An example for our Windows Authentication Attack use case would be Steal or Forge Kerberos Tickets (T1558) and Brute Force (T1110), both of which are represented on MITRE ATT&CK. We call these the “Threat Analysis” objectives or outcomes for our use case.
While the Objective of this hunt use case is to identify evidence of attack activity it is always important to identify issues that reveal gaps in the overall health of your systems. This ensures that vulnerabilities are being patched and attended to during the hunt to avert attacks from being effective in the future.
This brings us to the first threat hunting use case Windows Authentication Attacks which focuses on more granular tactics, techniques, and procedures (TTPs) that follow MITRE ATT&CK framework.
The hunt: Attacks that abuse Windows Authentication
Objective: Common attack vectors that affect user accounts include password spraying, social engineering, and brute force. Compromised account credentials are also one of the easiest ways a adversary can obtain admission to an environment. This hunt is crafted to search for more complex authentication-based attacks that would fall out of the scope of typical rule logic.
Log Source: Windows Security Event Logs
Associated MITRE Techniques: T1078, T1110, T1558, T1098, T1550, T1136
Expected Outcomes: Threat Analysis of Compromised accounts, Identify issues in password policies and access controls.
1.Indicators to investigate : Spikes of failed logons
Look for spikes of failed logons (Event ID 4625) originating from a single source targeting one or multiple accounts.
Explanation: An adversary may attempt to brute force account credentials by attacks like password spraying (attempting a few common passwords against multiple accounts) or password guessing (attempting many passwords against one or multiple accounts).
2. Indicators to investigate : successful logons
Review account successful logons (Event ID 4624) where the logon type is 3 and the authentication protocol is NTLM accompanied by event IDs 4672 and 4776.
Explanation: This could be an sign of a Pass the Hash or a Hydra attack which is are popular techniques used by attackers to authenticate and conduct actions to maintain persistence or pivot on remote systems.
3. Indicator to investigate: trends in authentication attempts
Evaluate trends in authentication attempts with the windows event ID 4672 “Special privileges assigned to new logon” to identify anomalous accounts with elevated permissions or administrator accounts accessing irregular systems.
Explanation: An attacker will need to gain administrator level privileges, either by elevating permissions for a standard user account or obtaining credentials for an existing privileged account, in order to perform actions on systems and move laterally in a networ
4.Indicator to investigate: Review windows Event ID 4720 “A user account was created
Review windows Event ID 4720 “A user account was created” to detect any abnormal account creations.
Explanation: Account creation is a common method used by attackers to maintain persistence on a system or within the network.
5.Indicator to investigate: excessive Kerberos service request
Examine for excessive Kerberos services requested by a single source by reviewing event ID 4769 with RC4 encryption (0x17), to identify possible evidence of Kerberoasting
Explanation: Kerberoasting is a technique used to gain access to plain text passwords for service accounts by requesting RC4 encrypted Kerberos service tickets which are susceptible to offline brute force cracking.
6.Indicator to investigate: anomalous process
Examination of process names for any odd names or processes that are anomalous seen generating logon requests.
Explanation: : This search will detect when skeptical processes are running which could divulge malware being used to authenticate within the environment