Forensique

Post compromission

En cas de compromission, il est intéressant de valider la présence ou non des actions suivantes:

• Reset all user account passwords twice (thanks @tazwake)
  • Reset all administrator passwords
  • Reset all service accounts passwords
• Reset (twice – but bear in mind the issues with replication so there’s specific guidance on this) the KRBTGT password
• Reset all computer account passwords
• Check the value of the computer account password change value
  • By default, it is 30 days, threat actors can change this to give themselves access using machine hashes for a longer duration. https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/domain-member-maximum-machine-account-password-age
• Reset all LAPS Passwords
• Reset permissions on AdminSDHolders object
• Revoke and re-issue all certificates from ADCS
• Check for malicious scheduled tasks (thanks @SchizoDuckie)
• Check for malicious WMI event filters
• Check for malicious autoruns or other registry-based persistence mechanisms
• Check for utilman style backdoors
• Check for malicious printers/printer drivers (thanks @SchizoDuckie)
• Review Active Directory Delegated access permissions (thank https://twitter.com/@indachtig)
• Rotate ADFS token signing and token decryption certificates (thanks @4n6Bexaminer)
• Check Service Control Manager (SCM) security descriptors (https://docs.microsoft.com/en-us/windows/win32/services/service-security-and-access-rights) (thanks @EricaZeli)
• Check for object changes around initial access/event timescales (thanks @IISResetMe)
• Validate group memberships against known baselines (replication metadata, backup, AD reporting tools/reports etc.) (thanks @IISResetMe)
• Harden Active Directory (look at pingcastle and MITRE) (thanks @MarkSewe)
• Review logon scripts in GPOS and SYSVOL (thanks @CisoDiagonal and A-HAX!)
• Rotate Group Managed Service Accounts (GMSA) (thanks @infosecspy)
• Rotate LAPS credentials
• Review Azure AD/AD Connect (thanks @infosecspy)
• Harden Endpoints
• Update AV
• Deploy EDR
• Deploy SYSMON
• DNS Zone Integrity (Public and Private) (thanks to @jermuv)
• Rote domain trust keys (thanks @DebugPrivilege)
• Review potential RBCD Bakdoors (thanks @DebugPrivilege)
• Review msDsConsistencyGuid attribute of compromised accounts (thanks @DebugPrivilege)
• Check Exchange (easy right?)
• Review accounts for “Key Trust Account Mapping” takeover and reset if required (thanks @nodauf)
  • https://posts.specterops.io/shadow-credentials-abusing-key-trust-account-mapping-for-takeover-8ee1a53566ab
• Review Active Directory Domains and Trusts (thanks @dragon199421)
• Deploy new Domain Controllers (keep existing forest/domain metadata)
• Clear VSS/Backups/Snapshots that are likely to be classed as unsafe (thanks to @Digit4lbytes)

Ressources :

• https://www.pwndefend.com/2021/09/15/post-compromise-active-directory-checklist/