Splunking_ActiveDirectory

© 2017 SPLUNK INC. © 2017 SPLUNK INC. ▶ e
D c D A ▶ e • hgd U G I E GCELaR c W R &&#% )))#$&"$#$%$ & • HE GL C GCE CAA G C F ECFC G &&#% "% $"%"&" !'%)!")%%'$&*&$&#$"&&"!'&!(!%'$&*'&#"*%&&!% • I GG F J E G L CJF I G) MF CH &&#% "!%#'!" %%%"!"!"')$ $"*'$&* " #!!! (! && % !# • D H AC N LFAC GC G KG I 6 ) &&#% )))$*#%%$"'#" )#"!&!&'#"% &#$#'! "!# • ( ) ( ) O LA G P &&#% )))%* !&" "!&!& %* !&"%%'$&*!&$)&##$%!$%'%"#")$%! &&%!# Y TS

© 2017 SPLUNK INC. © 2017 SPLUNK INC. cp u
r m Pg l Πϯλʔωοτ ಺෦޲͚%.; ಺෦ωοτϫʔΫ ߈ܸऀ ֎෦޲͚%.; ίϚϯυ ίϯτϩʔϧ αʔό j e wtko a y I i P A I nh v swt : 1 /7 2 :. 1 46 6. 3 54

© 2017 SPLUNK INC. © 2017 SPLUNK INC. Πϯλʔωοτ ಺෦޲͚%.;
಺෦ωοτϫʔΫ 'JSF8BMM 41". ϑΟϧλ ϝʔϧαʔό %/4 8FC1SPYZ ϑΝΠϧ αʔό "DUJWF %JSFDUPSZ %#αʔό ߈ܸऀ ֎෦޲͚%.; 8FCΞϓϦ αʔό *%4*14 8"' 8FCΞϓϦ αʔό 4BOECPY 1$ Ξϯν ΢Πϧε %-1 &%3 ίϚϯυ ίϯτϩʔϧ αʔό 4UFQରԠࡁΈ 4UFQରԠࡁΈ 4UFQରԠࡁΈ ܭըཱҊ ߈ܸ४උ ॳظજೖ ج൫ߏங ಺෦ௐࠪɾ৵ೖ ໨త਱ߦ ࠶৵ೖ ಺෦ରࡦ ಺෦ௐࠪɾ৵ೖ ಺෦ରࡦ

© 2017 SPLUNK INC. © 2017 SPLUNK INC. c i
a v d e S e -/ )(D M .1 4 1 D 8 4 /68 4 062 4 e d Avr h o A v h o Ai t k e • v n M T e P v G s o v h o e e e • v T e t cl t e a • v h o T e h o i t M e

© 2017 SPLUNK INC. © 2017 SPLUNK INC. ',) *$%+
, ) ( ) &%+( - ',). 1. Active Directory A 2. A D 1. Active Directory"" 2. !# " Golden Ticket 1. - ! TGT." Silver Ticket 2. - ! ST."

© 2017 SPLUNK INC. © 2017 SPLUNK INC. !
s o m W I S c aif . 6 A - A C C .- c m W I k d m i m f .-v v 5 A8 D .- v c Tke 1 ( c / 8 A 4 c c cg G C 4 c c cg P P a wtc P uc P a2 C c A ) 1 6 / P W P P nr m W .c hW T v n I n c WmW m Ti la d c v 02n w M IPM I M Tke D A

© 2017 SPLUNK INC. © 2017 SPLUNK INC. 4 CK
63 ¥ 89 * ., w *-,/ *-,/ 7C C ¥ ” w c v 63 *-,/ vpa ] ¥ ¥ e ] w e y fn e E M 0 CAEKC A D A CK I *,) ,, MT 5 I CK : A C w *,(* *,-( *,(* “ *,-( w w u w uj c v 63 *,(* *,-( utw w] v w e i a y a ¥ ̶ w w ¥ r i n 5 I CK : A C 9 I C : A C e i a e 0 0 . . 0 0 ) 9 I C : A C w u w *,/. *,/. mw w uj c v w r j aua k mw bu e i a x f a e 63 *,/. utw v k ¥ v i a e i a 20 K S 9 C )( : 20 K S : G j jn 1 G W sab r e i w ( ( “ jn v i 63 ( k pdon vx w v dt bd k *,-( *,-( w w u w uj c v 63 *,-(w] v k s j aua e i a x 89 * ,. w ut j v o a e jn *,(* *,( *-,. *-,/ *--, *,(* *,( “ *-,. 7C C ¥ w c v *-,/ 7C C ¥ ” w c v *--, w w c v 63 e *,(* *,( *-,. *-,/ *--, w v i n j r jua euad w r b r jua e i n x e i a e [ r k xleua e i auad [32 ¥ v j bxleua d e auad [ w v j w d e auad [ w d w v j de auad *,(* *,( *-,. *-,/ *--, 63 *,(* *,( *-,. *-,/ *--,w pa hsw w w r k jua e i n x e i a e [ v j v e auad [ ut e i uaxlw v e auad [ v v u euad [ e j auad )JPCERT * ! &'"$(#ID)%(#+ *

© 2017 SPLUNK INC. © 2017 SPLUNK INC. 41 0
S < A RN 8:u tw r bsy fxvn d _u nywhtmrkplge N OTL . < 4 O6 D : OT 4 O2 A . )( :O>O N. SC N OTL . < 4 O6 D : OT 4 O2 A . ( 89 4 O2 A . () 1 O=3 I> . " " R 89 1 O=3 I> . " 0 17:: 4 W N OTL . < 4 O6 D : OTW 4 O2 A . ( O>? =O I 4 O2 A E NO >I >N =7>I > O N OTL . < 4 O6 D : OT 4 O2 A . P - -11 T 1 - / 0-6 /18- / 0-6 G sourcetype="WinEventLog:Security" (EventCode=4688) (powershell* AND -ExecutionPolicy) OR (powershell* AND bypass) OR (powershell* AND -noprofile) OR (powershell* AND Invoke-Command) | table _time, host, Account_Name, New_Process_ID, Process_Command_Line, New_Process_Name, New_Process_ID ac

D h c ko n d n A W a . h c W

--i S dac s w t r SoE l h x -- C k nmlv z s e o P --hv z s b a iI v z s i x o yE l -- m

© 2017 SPLUNK INC. © 2017 SPLUNK INC. t r
d S p wy r A D e wsv t e k D o y F c l r D ia r U w p e ia

© 2017 SPLUNK INC. © 2017 SPLUNK INC. 06 0
2 8 W I: 01 2 4 wt v • K Sl bn E • 2 S l bn E • 2 Tl bn E v v • v l bn E • i v l bn E v uy y • lclv uy y s l bn E d e • T l bn E ) 4 > lT • 3 4 1 4 3 3 1> > 12 4 aC l ( 4 A l ( rl ( l aC l ( / 1> ( . > ( ) 4 > lT 6 1 A DE W I

© 2017 SPLUNK INC. © 2017 SPLUNK INC. ( )
P PO S N P l h s 8 C O O 8 C O O O m t 8 C 4 O O 8 C 4 O O 8 C O O O NV LI LC 8 C D ri x se U n eY dv pWT c t o 71602 6/ 06 /-7406 - 2 ? E IA : = C D = I M D = I MAD =C M ADE= : = =C : EL = =C 0. M DC SR

78,9 !%'"$)#("' 6< +*$)#(:3 50 (.;/- ("&) 4= 1250 6<50 6<50

© 2017 SPLUNK INC. © 2017 SPLUNK INC. ▶ y
i k su • b¥ a u c • lv psy soc ./. * *. c ▶ y i k su g s • u c a c g s a c • lv psy soc /. / rf c • /. . rf

© 2017 SPLUNK INC. © 2017 SPLUNK INC. ( )
D I I AC I R () (). <QL 6FO? ! PsExec'wmic'Poershell'at+* B9NQ?'A;8I- PWDump7'Mimikatz'WCE'lslsass+* $- RB5;>>O@KO4S Htran'Fake wpad Fake wpad KHQ>M41O RDP Pass-the-hash Pass-the-ticket WCE'Mimikatz SYSTEM%, MS14-058 Exploit'MS15-078 Exploit % SDB UAC Bypass ?G1O % 032O>- MS14-068 Exploit'Mimikatz Active Directory=Q:EQ9- ntdsutil'vssadmin MQ3LJQ7P4LQD-#P& net user C/1L net use'net share'icacls "-& sdelete'timestomp 1EO>M4- wevtutil 032O> - csvde'ldifde'dsquery /J T P

Splunking_ActiveDirectory

Splunking_ActiveDirectory

odorusatoshi

More Decks by odorusatoshi

Other Decks in Technology

Featured

Transcript

© 2017 SPLUNK INC. © 2017 SPLUNK INC. © 2017

© 2017 SPLUNK INC. © 2017 SPLUNK INC. ▶ e

© 2017 SPLUNK INC. © 2017 SPLUNK INC. cp u

© 2017 SPLUNK INC. © 2017 SPLUNK INC. Πϯλʔωοτ ಺෦޲͚%.;

© 2017 SPLUNK INC. © 2017 SPLUNK INC.

© 2017 SPLUNK INC. © 2017 SPLUNK INC. c i

© 2017 SPLUNK INC. © 2017 SPLUNK INC. ',) *$%+

© 2017 SPLUNK INC. © 2017 SPLUNK INC. !

© 2017 SPLUNK INC. © 2017 SPLUNK INC. 4 CK

© 2017 SPLUNK INC. © 2017 SPLUNK INC. 41 0

© 2017 SPLUNK INC. © 2017 SPLUNK INC.

© 2017 SPLUNK INC. © 2017 SPLUNK INC.

© 2017 SPLUNK INC. © 2017 SPLUNK INC.

© 2017 SPLUNK INC. © 2017 SPLUNK INC. t r

© 2017 SPLUNK INC. © 2017 SPLUNK INC. 06 0

© 2017 SPLUNK INC. © 2017 SPLUNK INC. ( )

© 2017 SPLUNK INC. © 2017 SPLUNK INC.

© 2017 SPLUNK INC. © 2017 SPLUNK INC.

© 2017 SPLUNK INC. © 2017 SPLUNK INC. D psr

© 2017 SPLUNK INC. © 2017 SPLUNK INC.

© 2017 SPLUNK INC. © 2017 SPLUNK INC. ▶ y

© 2017 SPLUNK INC. © 2017 SPLUNK INC. ( )