Microsoft Defender For Identity Domain Dominance Playbook - Microsoft Defender For Identity - Microsoft Learn
Microsoft Defender For Identity Domain Dominance Playbook - Microsoft Defender For Identity - Microsoft Learn
Microsoft Defender For Identity Domain Dominance Playbook - Microsoft Defender For Identity - Microsoft Learn
com/…
The last lab in this four-part series for Microsoft Defender for Identity security alerts is a
domain dominance playbook. The purpose of the Defender for Identity security alert lab
is to illustrate Defender for Identity's capabilities in identifying and detecting potential
attacks against your network. The lab explains how to test against some of Defender for
Identity's discrete detections using Defender for Identity's signature-based capabilities.
The labs don't include Defender for Identity advanced machine-learning, user, or entity-
based behavioral detections and alerts. Those types of detections and alerts aren't
included in testing because they require a learning period, and real network traffic for
up to 30 days. For more information about each lab in this series, see the Defender for
Identity security alert lab overview.
This playbook shows some of the domain dominance threat detections and security
alerts services of Defender for Identity using simulated attacks from common, real-
world, publicly available hacking and attack tools. The methods covered are typically
used at this point in the cyber-attack kill chain to achieve persistent domain dominance.
In this lab, you'll simulate attempts to achieve persistent domain dominance in order to
review each of Defender for Identity's detections for the following common methods:
Prerequisites
1. A completed Defender for Identity security alert lab
2 Warning
The third-party hacking tools in this lab are presented for research purposes only.
Microsoft does not own these tools and Microsoft cannot and does not guarantee
or warranty their behavior. They are subject to change without notice. These tools
should be run in a test lab environment only.
Domain Dominance
In the cyber-attack kill chain, during the phase of domain dominance, an attacker has
already gained legitimate credentials to access your domain controller. Attacker access
to your domain controller means all levels of damage to your network can be
accomplished. Beside the immediate damage, attackers, especially sophisticated ones,
like to place additional insurance policies into environments they've compromised.
These attacks ensure even if an attacker's initial compromise and actions are discovered,
they'll still have additional avenues of persistence in your domain, increasing their
chances of long-term success.
Using WMI via the command line, try to create a process locally on the domain
controller to create a user named "InsertedUser", with a password of: pa$$w0rd1.
1. Open the Command Line, running in context of SamiraA from the VictimPC,
execute the following command:
2. Now with the user created, add the user to the "Administrators" group on the
domain controller:
PsExec.exe \\ContosoDC -accepteula net localgroup "Administrators"
InsertedUser /add
3. Go to Active Directory Users and Computers (ADUC) on ContosoDC and find the
InsertedUser.
Acting as an attacker, you've successfully created a new user in your lab by using WMI.
You've also added the new user to the Administrators group by using PsExec. From a
persistence perspective, another legitimate, independent credential was created on the
domain controller. New credentials give an attacker persistent access to the domain
controller in case the previous credential access gained was discovered and removed.
Defender for Identity detected both the WMI and PsExec remote code executions.
Because of encryption on the WMI session, certain values such as the actual WMI
methods or the result of the attack aren't visible. However, Defender for Identity's
detection of these actions give us ideal information to take defensive action with.
VictimPC, the computer, should never be executing remote code against the Domain
Controllers.
As Defender for Identity learns who is inserted into which Security Groups over time,
similar suspicious activities are identified as anomalous activity in the timeline. Since this
lab was recently built and is still within the learning period, this activity won't display as
an alert. Security group modification detection by Defender for Identity can be validated
by checking the activity timeline. Defender for Identity also allows you to generate
reports on all Security Group modifications, which can be emailed to you proactively.
Access the Administrator page in the Defender for Identity portal using the Search tool.
The Defender for Identity detection of the user insertion is displayed in the Admin
Group activity timeline.
Using mimikatz, we'll attempt to export the master key from the domain controller.
As attackers, we now have the key to decrypt any DPAPI-encrypted file/sensitive data
from any machine in the entire Forest.
The two common hacking tool sets that allow attackers to attempt malicious replication
are Mimikatz and Core Security's Impacket.
Mimikatz lsadump::dcsync
From the VictimPC, in context of SamirA, execute the following Mimikatz command:
Let's use a Skeleton Key to see how this type of attack works:
2. With mimikatz now staged on the DC, remotely execute it via PsExec:
When prompted, use the wrong password on purpose. This action proves that the
account still has a password after executing the attack.
But Skeleton Key adds an additional password to each account. Do the "runas"
command again but this time use "mimikatz" as the password.
This command creates a new process, notepad, running in the context of RonHD.
Skeleton Key can be done for any account, including service accounts and computer
accounts.
) Important
It is important that you restart ContosoDC after you execute the Skeleton Key
attack. Without doing so, the LSASS.exe process on ContosoDC will be patched and
modified, downgrading every authentication request to RC4.
1. As JeffL, run the below command on VictimPC to acquire the domain SID:
whoami /user
2. Identify and copy the Domain SID highlighted in the above screenshot.
3. Using mimikatz, take the copied Domain SID, along with the stolen "krbtgt" user's
NTLM hash to generate the TGT. Insert the following text into a cmd.exe as JeffL:
The /ptt part of the command allowed us to immediately pass the generated
ticket into memory.
4. Let's make sure the credential is in memory. Execute klist in the console.
Why did it work? The Golden Ticket Attack works because the ticket generated was
properly signed with the 'KRBTGT' key we harvested earlier. This ticket allows us, as the
attacker, to gain access to ContosoDC and add ourselves to any Security Group that we
wish to use.
Next steps
Defender for Identity Security Alert Guide
Investigate lateral movement paths with Defender for Identity
Check out the Defender for Identity forum!