ADTimeline: Threathunting with Active Directory data

Active Directory is a prime target in mostly all cyberattacks, and attackers often attempt to gain Domain Admin privileges and maintain their access. It is therefore crucial for security teams to monitor the changes occurring on Active Directory. Those modifications are recorded in the Domain Controllers Windows event logs but its scope/completeness depends on the auditing strategy configured. Moreover, those events are rarely centralized, analyzed and archived. As a consequence, replication metadata is sometimes the only artefact left for the DFIR analyst to characterize modifications made on the Active Directory.

ADTimeline is a forensic tool, written in PowerShell, which aims to create a timeline of Active Directory changes with replication metadata. The ADTimeline application for Splunk processes and analyses the data collected by the PowerShell script to help the DFIR analyst perform its investigation. In addition, the Active Directory data indexed in Splunk can be coupled with the analysis of Windows Event logs to perform relevant threat hunting queries.

Firstly, this presentation will describe how Threat hunting or forensics investigation on Active Directory domains are performed at CERT-FR and how we collect data with the open sourced tools DFIR Orc and ADTimeline. We will then give the big picture of the data processing made afterwards in order to index it in Splunk or import it to a database for analysis.

I will then present what replication metadata is and what the ADTimeline tool does and its limitations. This will be a short version of the presentation given last year at the FIRST Technical Colloquium in Amsterdam.

I will then present the The ADTimeline application for Splunk, how the data is indexed in Splunk and will describe and show the four dashboards available for the DFIR analyst: - The “Active Directory Infrastructure” dashboard gives you general information on which components to investigate. - The “sensitive accounts” dashboard provides an inventory of the privileged accounts in the domain and accounts prone to common attack scenarios due to their configuration. - The “investigate timeframe” dashboard provides statistics and charts of modification occurring on the AD domain for a given period of time. Use this dashboard if you already know what timeframe to investigate. - Finally, the “track suspicious activity” dashboard tries to spot malicious modifications made on the Active Directory such as ACL edition, group membership modification, various persistence techniques, Audit policy modifications, DCShadow operations, Replication metadata tampering, Exchange on premises Email exfiltration…

Finally, I will show how to enhance your traditional Windows event logs threat hunting with the ADTimeline application for Splunk. How you can perform queries such has “What processes were running under an AD privileged account?”, “Did a service account with a SPN configured authenticate on computers it should not have?”, “Which sensitive user or computer authenticated on a computer with unconstrained delegation configured?”, and so on…

About the Speaker