Identify Kerberos brute force attacks with the Active Directory bundle

In a brute force attack, an attacker gains access to your system simply by repeatedly logging in with a variety of passwords until they guess the correct one. The ExtraHop Active Directory bundle can help you discover when these attacks are happening and where they are coming from.

In this walkthrough, you will learn how to download, install, and configure the Active Directory bundle, and then identify potential Kerberos brute force attacks with the Active Directory dashboard.

Prerequisites

  • Familiarize yourself with the concepts in this walkthrough by reading the Bundles concepts topic.
  • You must have access to an ExtraHop Discover appliance with a user account that has full write privileges.
  • You must be familiar with modifying triggers. For more information, see the Triggers concepts topic.

Download the ExtraHop Active Directory Bundle

Before you can upload the Active Directory Bundle to your appliance, you must download the bundle from the ExtraHop website.

  1. Go to the ExtraHop Solution Bundles Gallery.
  2. Click Browse All Bundles.
  3. In the search bar, type Active Directory.
  4. In the table, click Active Directory.
  5. If you have not already logged into the ExtraHop website, click Login in the right pane and then specify a valid username and password.
  6. Click Download Now.
  7. Save the .json file to a location on your local machine.

Upload and apply the Active Directory Bundle to your ExtraHop appliance

After you have downloaded the Active Directory Bundle, you can upload and install the bundle on your appliance.

  1. Log into the Web UI of a Discover appliance.
  2. Click the System Settings icon in the upper right corner.
  3. Click Bundles.
  4. On the Bundles page, click Upload.
  5. In the Load Bundle dialog box, click the Choose File button, and then select the Active Directory Bundle file you downloaded from the ExtraHop Solution Bundle Gallery.
  6. Click Upload.
  7. Select the Apply 7 included assignments checkbox.
  8. From the Existing objects drop-down menu, select Overwrite.
    Selecting this option will overwrite any objects that have the same name as objects in the bundle.
  9. Click Apply.
  10. In the Bundle Import Status dialog box, click OK.
  11. In the View Bundle window, click OK.

Configure the Active Directory trigger

Before you can begin monitoring Active Directory activity, you must configure the trigger to mirror lockout and privileged account settings in your Active Directory environment.

  1. Click the System Settings icon .
  2. Click Triggers.
  3. In the table, click Active Directory.
  4. Click the Editor tab.
  5. Set the failedLoginDisableInterval constant to the value of the Reset account lockout counter after setting in your Active Directory environment.
  6. Set the accountLockoutDuration constant to the value of the Account lockout duration setting in your Active Directory environment.
  7. Under priv_names, specify all privileged accounts in your Active Directory environment.
  8. Click the Configuration tab.
  9. Clear the Disable Trigger checkbox to enable the trigger.
  10. Click Save and Close.

Configure Active Directory alerts

The Active Directory Bundle includes alerts that you can configure to email you when high processing and response times are detected. You can also be alerted when a privileged account accesses resources for the first time, or if someone attempts to log into a privileged account too many times with an invalid password.

  1. Click the System Settings icon .
  2. Click Alerts.
  3. Enable each alert and configure the alert to send notifications to your email address.
    Repeat these steps for each of the five ransomware alerts.
    1. Click Active Directory <alert>.
    2. Deselect the Disable Alert checkbox.
    3. Click Notifications.
    4. In the Additional email addresses field, type your email address.
    5. Click OK.

Identify Kerberos brute force attack

This example shows how you can detect Kerberos brute force attacks with the Active Directory bundle.

The Active Directory dashboard shows you how many times a user has attempted to log into a Kerberos system with an invalid password. In the example below, the bundle detected 13,605 unsuccessful log in attempts.

The Top 10 Users with Invalid Passwords chart then shows you which user accounts people are attempting to log into. User names are listed next to the IP address of the machine they attempted to log in from. In the following example, a machine with an IP address of 200.50.100.1 attempted to log into the kenp account 13,602 times:

It is highly unlikely that the legitimate owner of the kenp account attempted to log in thirteen thousand times without contacting an administrator. High levels of invalid logins like this are usually the result of a brute-force attack. The attacker is trying every possible password in an attempt to discover the correct one. With an ExtraHop Explore appliance, we can gain even more insight into the attack. To do this, we type the IP address of the machine into the top search bar, and then click Search Records for 200.50.100.1.

The records table shows all transactions related to the specified IP address. Clicking Kerberos Response AD in the left pane limits the results to Kerberos transactions only. Sorting the table by AD Error shows us all invalid password requests, including which machines specified those invalid passwords. The table shows that although the invalid password attempts all came from 200.50.100.1, there are a number of successful requests coming from 10.100.100.1:

These results suggest that 10.100.100.1 belongs to the actual user, and 200.50.100.1 belongs to the attacker. We can now block logins from 200.50.100.1 and contact the owners of both machines to confirm.

Next steps

Now that the Active Directory bundle is up and running, you can check out the other charts in the Active Directory dashboard to monitor potential access and authentication issues.

Published 2017-12-11 19:17