Lesson 3 of 5
In Progress

Compromised Active Directory Server

Scenario Background

Proxy logs show repeated denied attempts, going back at least 5 weeks, by an Active Directory server to contact a site categorized as malicious. A connection is attempted every 1 to 2 hours, all day long.

1.    Scenario

This is the triggering event for the incident response effort:

Proxy logs show repeated denied attempts, going back 3 weeks, by an AD server to contact a site categorized as malicious (badsite.com).

Incident Narrative (Moderator reference)

An Adversary has breached the organization using malware installed on a laptop (which is often VPN-connected). That malware was delivered via a spearphishing attack 2 months ago to a domain administrator. The Attacker had immediately (Visit 1) grabbed all user credentials from the affected system and installed Poison Ivy RAT.

After ~two weeks (Visit 2, now -5 weeks) the Adversary then used the remote access to that system, along with credentials, to access a Domain Admin account (pass the hash, cracked password, etc). The Adversary accessed an Active Directory server, dumped ALL password hashes, placed those into a password-protected rar and exfiltrated those. The adversary then installed Poison IVY RAT, which runs as a system service with the EXE located in the domain admin’s temp folder.  This is responsible for the beaconing to badsite.com. The Adversary then, using the same admin account, accessed 5 file servers. A service was installed on two of those, with one beaconing to a second domain (alsobad.com, not blocked). The third system will beacon for the attacker in two weeks: it’s a back-up access method. A 15Mb password-protected RAR file is on the second file server.

Two weeks later (Visit 3, now -3 weeks) the Adversary came back via the Laptop-based backdoor. The Adversary used the same admin account and an administrative service account to access 5 systems (the two with back doors, plus 3 new). No new malware was installed.

Hidden Incident Details

     No other systems are trying to reach badsite.com.

     Analysis will show Poison IVY RAT running under the profile of Legitimate Server Admin, as “install.exe”. Analysis of install.exe, even using Strings will show a second domain “alsobad.com”.

     The Poison IVY process has been running since the last reboot (2) weeks ago.

     Analysis of the system for persistence shows it was installed as a service 5 weeks ago.

  1. Analysis will find pwdump (as p.exe), a credential harvester, was run when the RAT was installed. This file is still on the system (or have it removed)

  2. A password-protected RAR archive exists in the same directory as the pwdump file, 2MB in size

  3. Analysis will show the same admin account logged in to (5) file servers on the same date as the RAT was installed

  4. Analysis will show the same admin account logged in to (3) new servers plus (2) of the prior (5) on the date the Credential harvester ran.

  5. Analysis will show the same admin account has logged in to (50) servers during the 5-week known-incident time span
    Most of this activity is legitimate activity by the administrator

  6. The Source system for non-legitimate Administrator account use was VPN
    1. Legitimate account of a sales person (vpn creds were taken)
    1. What can be found about the computer which connected?

Incident Objectives

  • Does the customer have any applicable processes for this incident?
    • Are the processes known and would they be helpful?

  • Does team have the ability to search authentication data to determine when the Admin session was established?
    • Can the team differentiate between “legitimate” and non-legitimate access?

  • Once the analysis determines that the credentials may have been exposed, and that an admin account is involved, the analysis must not be centric to that server.

  • Does team have the ability to search authentication data to determine all systems the administrator account authenticated to within the compromise window?

  • Are there documented escalation paths between administration team(s), contractors, IT leadership, Incident responders?

  • What is the organizational ability to respond to full loss of credentials?

  • How do responses change when the event is identified outside of standard business hours?

  • What would happen to the response process at the end of standard business hours, and is that sustainable across multiple days or weeks of response time?

  • Does the organization centrally log relevant IT data, does it retain it long enough to be useful, and can it be searched quickly enough to be relevant to analysis?

  • What controls are in place to prevent this type of incident?

  • What type of monitoring is in place to detect control failure?

  • How would evidence be collected from the Active Directory server?

  • What would be the business impact of the analysis effort?

Closing Questions (to the participant group)

These questions are also in the Participant Brief.

How did the Team’s ability to respond during the TTX compare to your expectations at the start?

Were there any short-term changes that can be done to improve your response capability?

What could be done to reduce the breach exposure time?”

Closing Question

•How did the Team’s ability to respond during the TTX compare to your expectations at the start?
•Are there any short-term changes that can be done to improve your response capability?
•What could be done to reduce the breach exposure time? •