单个Active Directory账户可成为最佳早期预警系统
作者:Jordan Drysdale
Jordan拥有25年技术行业经验,专注网络安全领域,现任Black Hills Information Security团队成员及Antisyphon培训讲师
概述
通过精心配置单个AD账户(代号Ricardo Beneficio),可实现三种关键攻击行为的检测:
- LDAP枚举检测:通过ADExplorer、BloodHound等工具触发的属性读取操作
- Kerberoasting攻击检测:针对服务主体名称(SPN)的Kerberos票证请求
- 密码喷洒检测:通过失败登录事件识别暴力破解行为
实验环境搭建
使用Azure ARM模板构建临时实验室环境(https://www.doazlab.com):
1
2
3
4
5
|
# 创建诱饵账户
New-ADUser -UserPrincipalName ricardo.beneficio@doazlab.com -Path "OU=DomainUsers,dc=doazlab,DC=com" -GivenName "Ricardo" -Surname "Beneficio" -Enabled 1 -Name "Ricardo.Beneficio" -desc "Accounting Controller" -office "Accounting" -title "Controller" -company "DevLabs" -AccountPassword (ConvertTo-SecureString "Contrasena#2" -AsPlainText -Force)
# 获取对象GUID(关键检测标识)
Get-ADUser -Identity ricardo.beneficio -Properties "ObjectGuid"
|
检测机制实现
1. LDAP枚举检测(EID 4662)
配置UAC属性审计规则:
1
2
3
4
5
6
7
8
9
|
# 启用密码永不过期标志(吸引枚举工具)
$DecoySamAccountName = ricardo.beneficio
Set-ADAccountControl -Identity $DecoySamAccountName -PasswordNeverExpires $true
# 设置审计规则(读取UAC属性时触发日志)
Import-Module ActiveDirectory
iwr -Uri https://raw.githubusercontent.com/OTRF/Set-AuditRule/master/Set-AuditRule.ps1 -OutFile Set-AuditRule.ps1
Import-Module .\Set-AuditRule.ps1
Set-AuditRule -AdObjectPath 'AD:\CN=ricardo.beneficio,DC=DomainUsers,DC=doazlab,DC=com' -WellKnownSidType WorldSid -Rights ReadProperty -InheritanceFlags All -AttributeGUID bf967a68-0de6-11d0-a285-00aa003049e2 -AuditFlags Success
|
KQL检测查询:
1
2
3
4
|
SecurityEvent
| where EventID == 4662
| where ObjectName contains "e84b8538-2b00-4b82-909b-45051e55e6b1" # 替换为实际GUID
| project TimeGenerated , Account , ObjectName , ObjectType
|
2. Kerberoasting检测(EID 4769)
为诱饵账户注册SPN:
1
|
setspn -a ws05/ricardo.beneficio.doazlab.com:1433 doazlab.com\ricardo.beneficio
|
Kerberoasting攻击检测查询:
1
2
3
4
5
6
7
8
9
|
SecurityEvent
| where TimeGenerated >= ago(2h)
| where EventID == 4769
| parse EventData with * 'Status">' Status "<" *
| where Status == '0x0'
| parse EventData with * 'ServiceName">' ServiceName "<" *
| where ServiceName !contains "$" and ServiceName contains "ricardo"
| parse EventData with * 'IpAddress">' SourceIP "<" *
| project TimeGenerated , ServiceName , SourceIP , EventID , Activity
|
3. 密码喷洒检测(EID 4625)
失败登录事件检测:
1
2
3
4
|
SecurityEvent
| where EventID == 4625
| where Account contains "Ricardo.Beneficio"
| project TimeGenerated , Activity , Account , IpAddress
|
攻击链对应检测
| 攻击阶段 |
检测机制 |
事件ID |
| 初始访问后枚举 |
UAC属性读取 |
4662 |
| 横向移动(Kerberoasting) |
服务票证请求 |
4769 |
| 凭证攻击(密码喷洒) |
失败登录 |
4625 |
验证结果
- BloodHound枚举操作成功触发4662事件
- Kerberoasting攻击成功触发4769事件并捕获哈希
- 针对498个对象的密码喷洒成功触发4625事件警报
总结
通过单个AD账户实现三道检测防线:
- 审计配置:监控敏感属性读取操作
- SPN诱饵:捕获Kerberos票证请求
- 登录监控:检测异常认证活动
该方法提供高精度检测能力,能有效发现常见攻击手法,且可通过Microsoft Sentinel等平台实现自动化告警。
实验环境需定期销毁,所有攻击操作均在授权测试环境中完成。