We covered the process of incident response and the steps taken to investigate and recover an infected Windows active directory system. We used Powerview and Eventviewer to investigate the actions taken by the attacker such as users created/modified, group policy changes and other events such as date and time. . This was part of TryHackMe recovering active directory.

Get COMPTIA Security+ Exam Notes

Windows Active Directory Penetration Testing Study Notes

Room Answers

What type of backups can be obtained from the Windows Server Backup utility (write the correct option only)? A: One-time B: Incremental C: Both A and B.

How would you launch the Windows Server Backup utility through the Run dialog box?

Is it good practice to isolate the infected network infrastructure for detailed network monitoring? (yea/nay).
How many machines in the domain can you find when using PowerView?

What is the name of the utility in Windows that displays and keeps track of all the events?

What is the email address for the user evil.guy?

What is the total number of users logged on after Dec 1, 2022?

What event ID will be logged if a user is removed from a universal security group?

Reset the password for the user evil.guy.

What is the command to perform the password reset operation for a computer in the domain?

What is the security vulnerability that involves abusing Kerberos service tickets called?

The type of attack that allows attackers to impersonate a domain controller and receive/forward requests on behalf of the domain controller is called?

Is synchronising time on all network devices important to correlate logs on different devices? (yea/nay).

Click the View Site button at the top of the task to launch the static site in split view. What is the flag after completing the exercise?

Video Transcript

So in today’s video you’re going to put yourself in the shoes of an incident response analyst and you’re going to tackle over the task of recovering and infected Windows active directory machine. Basically you’re going to activate the incident response plan. So you have a call from your colleague telling you that there witnessing some weird stuff happening over the active directory machine or maybe their machine that is part of the domain controller. So you want to take a look at this infected machine and you want to perform and immediate action to isolate it
then maybe eliminate and recover the machine.

First we’re going to take backup of the machine because all of the analysis that is going to be performed will be performed on a cloned copy of the infected machine.
Previously we used volatility and Memdump to take a clone of the infected system’s memory on Linux OS. But since this is a Windows machine we will perform the backup using the Windows Server local backup service. So using backup schedule backup once we click on that and we go through the options. So we’re going to select full server backup if they were some external storage attached to the device or the domain controller, you’re going to go for custom and here you’re going to select bare metal, but since this is a lab machine these things don’t appear here So we’re going to go back and select full server. Once we have the system backed-up we will mount it on another system dedicated for incident response and forensic analysis with VMware installed.

Make sure to disconnect the machine from the network and internet. You don’t want any communication with any C2 server while you are doing the analysis. All right.
So with that we took the backup, we isolated the machine from the network now, it’s time to perform some analysis. Okay, so we’re gonna assume that right now we are performing the analysis on the cloned copy.
We want to identify  the actions that the attacker has taken since they have compromised the machine, so we’re going to use Powershell specifically powerview.ps1 which is used to enumerate Windows machines that are part of a domain controller.

Useful commands to use powerview.ps1

Import-Module powerview.ps1

Get-NetDomainController

Get-NetLoggedon

Get-NetSession

Get-NetComputer

And we will use Windows Event viewer to track the changes performed by the attacker on Group policy settings such as The event ID 4719 is associated with policy modification, which means that if any valid or invalid user tries to update the system audit policy, this action will generate an event log with ID 4719. Similarly, event ID 4739 is associated with domain policy change.

To check the group membership changes, we can view the event logs and search for the specific event IDs generated in certain scenarios. Below is a list of the most interesting event IDs:
  • ID 4756: Member added to a universal security group.
  • ID 4757: Member removed from a universal security group.
  • ID 4728: Member added to a global security group.
  • ID 4729: Member removed from a global security group.

To recover the infected machine, we take the below steps

  • Reset the password for Tier 0 accounts. You can reset or disable an account by simply selecting the desired option.
  • Look for possibly compromised (suspicious) accounts and reset their password to avoid privilege escalation.
  • Change the password for the Kerberos service account and make it unusable for the attacker.
  • Reset the passwords of accounts with administrative privileges.
  • Use the Reset-ComputerMachinePassword PowerShell command to perform reset operations for computer objects on the domain.
  • Reset the password of the domain controller machine to prevent silver ticket abuse. You can learn more about the different types of Kerberos-based attacks here.
  • Domain Controllers are the essential element for protection and recovery. If you have configured a writable domain controller (DC) as a backup for a compromised one, you can restore it to avoid disruption (Be careful while performing this step. Do not restore an instance of a compromised DC).
  • Perform malware analysis on any targeted domain controller server for identification of malicious scripts.
  • Verify that the attacker has not added any scheduled tasks or start-up applications for persistent access. You can access the task scheduler through Run > taskschd.msc

Lessons Learned after the Incident

Policy Decisions
  • A detailed cyber security plan must be developed in line with some international frameworks like NIST.
  • Develop a disaster management policy to avoid such attacks in the future.
  • Detailed cyber security audit of the infrastructure to locate the infection vector of the incident and determine the root cause.
  • Ensure that logs from all the servers, computers, and network devices are maintained and forwarded to a reputable SIEM solution.
Domain Controller
  • Adding permanent rules in SIEM to block command and control (C2) domains and IP addresses used by the attacker.
  • Patching all vulnerable systems to prevent exploitation of systems through publicly available exploits.
  • Perform a thorough malware scanning of all domain controllers and domain-joined systems.
  • Perform operating system upgrades to the latest version of Windows Server as it offers more security features, like it provides AES encryption and supports red architecture more efficiently.
  • Remove the file shares on the domain controllers.
  • Disable the use of removable media on host computers, as attackers may propagate the malware on the whole network.
Backups 
  • The organization network must have redundant domain controllers in high availability (primary/secondary layout).
  • Implement automated backup and recovery mechanisms.
  • Regularly verifying the trusted backups for validating integrity.

Video Walkthrough

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles