I was working on some presentaiton slides for my upcoming talk on 'communication'. I felt I made some good progress and wanted to reward myself by blogging.
Update: This idea was inspired from a blog post on ATT&CK by the Brakeing Incident Response Podcast crew, Episode 7
Blogging on what? The ATT&CK framework of course. Its super popular, very useful, and I was like: "I should try this in my home lab in just a basic use case". So the idea was to pick an attack and just investigate a local system. SUPER BASIC.
AKA: As a defender I want to investigate if my windows system has been compromised.
My Lab as the platform
I have a simple home LAB setup. Always needing to finish it off properly. The most important pieces is that I have a Domain setup and wanted to use that for the ATT&CK use case.Example of my Home Lab (I am quite proud of this so far):
The Test Case from ATT&CK
So lets go to the mitre ATT&CK page and then to the Windows Techniques. There are many techniques to choose from.
Having many to choose from. I chose something simple. Something like "Brute Force". The idea here is that I can just check the event viewer for logs maybe. Without having to install tools like sysmon or OSquery for advanced logging and metrics.
From the section on "Brute Force" on ATT&CK the description is:
"Adversaries may use brute force techniques to attempt access to accounts when passwords are unknown or when password hashes are obtained."
The below paragraph I thought would be a good use case
"Adversaries may attempt to brute force logins without knowledge of passwords or hashes during an operation either with zero knowledge or by attempting a list of known or possible passwords. This is a riskier option because it could cause numerous authentication failures and account lockouts, depending on the organization's login failure policies."
The Plan:
I want to check my Domain / systems for any instance of brute force attacks.
Where to start?
Let us Google Windows Password Brute Force Attack. But this more comes up with Password Cracking Tools. Such as shown here:
This is in the right area. But not really Brute forcing a system.
There is a tool called THC- Hydra that can brute force Windows, such as SMB authentication.
But is that right?
So I've found a tool that brute forces SMB, but that does not help me look on Windows for Brute Force Attacks - It does help me emulate the attacks if I am unable to see anything on my Windows System.
ATT&CK Brute Force
I was Googling around and though that a failed brute force attack will show many failed logins on Windows Systems. I checked the ATT&CK Brute Force description page and I was correct.
There is a detection system and they suggest monitoring authentication logs for system and application login falies of Valid Accounts. - Lesson learned, ATT&CK will give a break down of mitigation and detection of attacks. Super cool!
So how does one monitor authentication logs? - GOOGLE ftw
Viewing Authentication Logs
I got lost in here for a while. Deep and helpful, but not specifically what I was looking for.
I found an article on monitoring logons in windows environments. Which fortunately covers Domain authentication and where to look for the logs. The key point is that authentication in a Domain is by default managed by Kerberos.
Specifically for a Windows Domain
There are 2 places to monitor for a Windows domain:
- The Domain Controller
- Windows Client (computer a user logs into).
Domain Controller Security Log
So I have a Domain Controller installed headless. So I had to look at powershell commands to view the event logs.
Initially I ran the Get-EventLog Security command. Which was close, but results in a high amount of scrolling data:
I can search the Security events which is great. But I need to be more specific
Using Powershell on the Domain Controller, I had no 'failed login attempts':
I was not sure if my command was correct. So I quickly created some failed logins via Powershell.
I re-ran the command and it worked:
Clearly my DC has not had any bruteforce attacks on it.
I attempted to get the Username with some PowerShell fu (that I Googled), but I need more practice:
Windows Client Security Log
My Windows client is simply a base install of Windows10.
Wrap -up
So as expected I found very little evidence of BruteForce attacks specifically through the event viewer. This was a very basic example of using ATT&CK for detection / hunting.
None of this was advanced, and is a very simple of example of learning using the ATT&CK framework.
Cheers
Haydn
