[Meta] Explore Detection Opportunities on Active Directory Relay, Spoofing and Coercion Attacks - Part 1

[w0rk3r]

Parent Epic (If Applicable)

https://github.com/elastic/ia-trade-team/issues/276

Summary

Explore how attackers can exploit Active Directory for Credential Access using Relay, spoofing and coercion attacks.

Tasks

Preview Give feedback

1. Build a Lab
2. Explore ADIDNS Spoofing
3. Explore WSUS Spoofing
4. Explore Coercion Attacks
5. Explore PowerShell Tooling

Goals

• Improve coverage for these attacks.
• Gain better knowledge of AD DS.

Resources:

• https://www.netspi.com/blog/technical/network-penetration-testing/exploiting-adidns/
• https://www.netspi.com/blog/technical/network-penetration-testing/adidns-revisited/
• https://www.thehacker.recipes/a-d/movement/mitm-and-coerced-authentications
• https://mayfly277.github.io/categories/ad/
• https://www.akamai.com/blog/security-research/spoofing-dns-by-abusing-dhcp
• https://www.youtube.com/watch?v=u-RsFCXMqfk
• https://www.microsoft.com/en-us/security/blog/2023/03/24/guidance-for-investigating-attacks-using-cve-2023-23397/

PRs

• [New Rule] Potential ADIDNS Poisoning via Wildcard Record Creation #3535
• [New Rule] Creation of a DNS-Named Record #3539
• [New Rules] Potential PowerShell Pass-the-Hash/Relay Script #3543
• [New Rule] DNS Global Query Block List Modified or Disabled #3734
• [New Rule] Potential WPAD Spoofing via DNS Record Creation #3748
• [New Rule] Potential WSUS Abuse for Lateral Movement #3908
• [New Rule] Active Directory Forced Authentication from Linux Host #3912
• [New Rule] Potential Forced Authentication - SMB Named Pipes #3916
• [New Rule] Active Directory Forced Authentication from Linux Host - SMB Named Pipes #3917
• [New Rule] Potential Relay Attack against a Domain Controller #3928

[w0rk3r]

Closing this one as completed. I explored and read a lot of things that for sure will require more cycles to explore. I'll open follow-up issues.