Blog
Threat Detection & Investigation in Active Directory
From unusual login behavior to potential compromise in a few quick clicks
Cal Jewell
February 20, 2020
TL;DR: failed logins -> kiosk -> external actor -> potentially compromised critical assets
I love poking around in Active Directory. It's fertile hunting for both security and performance customers.
I was delivering training for a customer recently, looking at failed logins. We saw a lot of failed logins for a certain user, one that happened to be a high privilege account. The security analyst I was training said they disable remote logins for this account by default. So, there shouldn't be logins coming from it.
Using the Records feature in Reveal(x), we grouped the login failures by client to identify the top offenders. Several machines appeared but one machine was clearly punching above its weight: one with "kiosk" in its name.
Turns out, it was indeed a kiosk.
The security analyst in my session confirmed the machine had no business connecting to production Oracle servers, so we pivoted from Records to view the kiosk as a single Asset. We found lots of your typical Client activity, but we also saw some SSH Server activity.
Wait, what?
Our next click took us to this kiosk's SSH Server metrics to see who had been SSH-ing into the kiosk. The 'clients' button produced a wall of internet IP addresses, meaning that assets on the internet were logging into this kiosk directly.
Not good.
We broadened our timeframe to twenty-four hours and hit the Geomap button. Cue lots of dots from a large communist country in Asia that's not North Korea. In the back of the room, my security analyst client was typing furiously.
Further discussion revealed that the kiosks weren't built from a standard image. There were guidelines and suggestions, but no standard image. And the security team didn't have the authority to take the kiosk off the network.
We turned our attention back to the kiosk, and picked the top external IP SSH-ing in. We needed to know what other connections that IP was making. Now that the bad guys had found one asset, had they found others? How bad was the damage?
We asked Records, "Who else has this external IP address SSH'd into....?"
Two clicks in Records got us a long, long list of customer assets this single IP in China was SSH-ing into. The security analyst sort of sat back, taking it all in.
Luckily, Reveal(x) made it easy to determine exactly how valuable several of the SSH targets were to the organization. Armed with that info, the analyst was able to find the most critical target asset in his SIEM and build out a stronger case for taking action against the kiosk.
Closing quote? "I'd have never found this [in the SIEM]."
If you want to see how this type of investigation works in Reveal(x), check out the short video below showing the basic threat investigation workflow. You can also give it a try for yourself by poking around in the full product demo, available online here.
Discover more