mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-17 13:15:16 +03:00
Initial commit - 611 cybersecurity skills across all subdomains
This commit is contained in:
@@ -0,0 +1,49 @@
|
||||
# Standards and References - DCSync Attack Detection
|
||||
|
||||
## MITRE ATT&CK Credential Access (TA0006)
|
||||
|
||||
| Technique | Name | Relevance |
|
||||
|-----------|------|-----------|
|
||||
| T1003.006 | OS Credential Dumping: DCSync | Primary technique |
|
||||
| T1003.001 | LSASS Memory | Often combined with DCSync for complete credential theft |
|
||||
| T1003.003 | NTDS | Alternative to DCSync using ntdsutil or volume shadow copy |
|
||||
| T1078.002 | Valid Accounts: Domain Accounts | Using dumped credentials |
|
||||
| T1558.001 | Steal or Forge Kerberos Tickets: Golden Ticket | Primary goal of KRBTGT hash extraction |
|
||||
| T1222.001 | File and Directory Permissions Modification | Granting replication rights |
|
||||
|
||||
## Critical Replication GUIDs
|
||||
|
||||
| GUID | Permission Name | Risk |
|
||||
|------|----------------|------|
|
||||
| 1131f6aa-9c07-11d1-f79f-00c04fc2dcd2 | DS-Replication-Get-Changes | Required for DCSync |
|
||||
| 1131f6ad-9c07-11d1-f79f-00c04fc2dcd2 | DS-Replication-Get-Changes-All | Includes confidential attributes (passwords) |
|
||||
| 89e95b76-444d-4c62-991a-0facbeda640c | DS-Replication-Get-Changes-In-Filtered-Set | Partial replication rights |
|
||||
|
||||
## Windows Event IDs for DCSync Detection
|
||||
|
||||
| Event ID | Source | Description |
|
||||
|----------|--------|-------------|
|
||||
| 4662 | Security | Directory Service Object Access (primary detection) |
|
||||
| 4624 | Security | Successful logon (correlate source of replication) |
|
||||
| 4672 | Security | Special privileges assigned (admin logon) |
|
||||
| 4738 | Security | User account changed (permission grants) |
|
||||
| 5136 | Security | Directory Service Object modified (ACL changes) |
|
||||
|
||||
## Known Threat Actors Using DCSync
|
||||
|
||||
| Actor | Context |
|
||||
|-------|---------|
|
||||
| APT29 (Cozy Bear) | Used DCSync in SolarWinds campaign |
|
||||
| FIN6 | DCSync for credential harvesting in retail/hospitality |
|
||||
| Wizard Spider | TrickBot/Conti ransomware using DCSync pre-encryption |
|
||||
| APT28 (Fancy Bear) | DCSync in government network intrusions |
|
||||
| LAPSUS$ | DCSync after AD compromise for data theft |
|
||||
|
||||
## Legitimate Replication Sources
|
||||
|
||||
| Source | Reason | How to Distinguish |
|
||||
|--------|--------|--------------------|
|
||||
| Domain Controllers | Normal AD replication | Computer account ends with $ |
|
||||
| Azure AD Connect | Hybrid identity sync | MSOL_ service account |
|
||||
| Backup Software | AD backup operations | Documented service accounts |
|
||||
| Migration Tools | Cross-forest migrations | Temporary, documented operations |
|
||||
@@ -0,0 +1,99 @@
|
||||
# Detailed Hunting Workflow - DCSync Attack Detection
|
||||
|
||||
## Phase 1: Enumerate Legitimate Replication Accounts
|
||||
|
||||
### Step 1.1 - List All Domain Controllers
|
||||
```powershell
|
||||
Get-ADDomainController -Filter * | Select-Object Name, IPv4Address, OperatingSystem
|
||||
```
|
||||
|
||||
### Step 1.2 - Find Accounts with Replication Rights
|
||||
```powershell
|
||||
# Find all accounts with Replicating Directory Changes
|
||||
Import-Module ActiveDirectory
|
||||
$rootDSE = Get-ADRootDSE
|
||||
$domainDN = $rootDSE.defaultNamingContext
|
||||
$acl = Get-Acl "AD:\$domainDN"
|
||||
$acl.Access | Where-Object {
|
||||
$_.ObjectType -eq "1131f6ad-9c07-11d1-f79f-00c04fc2dcd2" -or
|
||||
$_.ObjectType -eq "1131f6aa-9c07-11d1-f79f-00c04fc2dcd2"
|
||||
} | Select-Object IdentityReference, ActiveDirectoryRights, ObjectType
|
||||
```
|
||||
|
||||
### Step 1.3 - BloodHound Query for DCSync Rights
|
||||
```cypher
|
||||
MATCH p=(n)-[:GetChanges|GetChangesAll]->(d:Domain)
|
||||
WHERE NOT n:Domain
|
||||
RETURN n.name, labels(n)
|
||||
```
|
||||
|
||||
## Phase 2: Deploy Detection
|
||||
|
||||
### Step 2.1 - Enable Required Audit Policy
|
||||
```cmd
|
||||
auditpol /set /subcategory:"Directory Service Access" /success:enable /failure:enable
|
||||
```
|
||||
|
||||
### Step 2.2 - Configure SACL on Domain Object
|
||||
Apply SACL to the domain root object monitoring for:
|
||||
- Control Access rights
|
||||
- Access to Replication GUIDs
|
||||
- By Everyone or Authenticated Users
|
||||
|
||||
## Phase 3: Active Monitoring
|
||||
|
||||
### Step 3.1 - Splunk Real-Time Detection
|
||||
```spl
|
||||
index=wineventlog source="WinEventLog:Security" EventCode=4662
|
||||
| rex field=Properties "(?<guid>\{[0-9a-f-]+\})"
|
||||
| where guid IN ("{1131f6aa-9c07-11d1-f79f-00c04fc2dcd2}",
|
||||
"{1131f6ad-9c07-11d1-f79f-00c04fc2dcd2}",
|
||||
"{89e95b76-444d-4c62-991a-0facbeda640c}")
|
||||
| lookup dc_accounts SubjectUserName OUTPUT is_dc
|
||||
| where is_dc!="true"
|
||||
| eval alert_severity="CRITICAL"
|
||||
| table _time SubjectUserName SubjectDomainName Computer guid alert_severity
|
||||
```
|
||||
|
||||
### Step 3.2 - Network-Level Detection
|
||||
```spl
|
||||
index=zeek sourcetype=dce_rpc
|
||||
| where operation="DRSGetNCChanges"
|
||||
| lookup domain_controllers src_ip OUTPUT is_dc
|
||||
| where is_dc!="true"
|
||||
| table _time src_ip dst_ip operation
|
||||
```
|
||||
|
||||
## Phase 4: Investigation
|
||||
|
||||
### Step 4.1 - Determine Source Machine
|
||||
Correlate Event 4662 with Event 4624 to identify the source workstation:
|
||||
```spl
|
||||
index=wineventlog EventCode=4624 LogonType=3
|
||||
| where TargetUserName=[suspected_account]
|
||||
| table _time TargetUserName IpAddress WorkstationName LogonType
|
||||
```
|
||||
|
||||
### Step 4.2 - Check for Subsequent Credential Abuse
|
||||
```spl
|
||||
index=wineventlog EventCode=4769
|
||||
| where ServiceName="krbtgt"
|
||||
| where TicketEncryptionType="0x17"
|
||||
| table _time TargetUserName ServiceName IpAddress TicketEncryptionType
|
||||
```
|
||||
|
||||
## Phase 5: Response
|
||||
|
||||
### Step 5.1 - Immediate Containment
|
||||
1. Disable compromised account immediately
|
||||
2. Rotate KRBTGT password (twice, 12 hours apart)
|
||||
3. Reset all service account passwords
|
||||
4. Block source IP at network level
|
||||
5. Isolate source machine for forensics
|
||||
|
||||
### Step 5.2 - Remediation
|
||||
1. Remove unauthorized replication rights
|
||||
2. Review all accounts with DCSync-capable permissions
|
||||
3. Implement tiered administration model
|
||||
4. Enable Microsoft Defender for Identity DCSync alerts
|
||||
5. Deploy Protected Users security group for admin accounts
|
||||
Reference in New Issue
Block a user