Real-Time Detection of Attacks Leveraging Domain Administrator Privilege

The presentation discusses a proposal for a detection method using a combination of signature-based and machine learning processes for real-time detection of attacks in a domain controller environment.

• The proposed method uses a combination of signature-based and machine learning processes to reduce false positives and achieve a precision rate of 90%
• The method was implemented using Elastic Stack, an open-source product for correcting and visualizing event orders
• The demonstration scenario involves an attacker accessing a domain controller using a compromised domain administrator account and executing suspicious commands
• The proposed method can detect attacks even in difficult situations where legitimate accounts and Windows commands are abused
• The authors plan to analyze the appendix of client computers for further investigation and have published their detection tools on Github

The demonstration scenario involves an attacker accessing a domain controller using a compromised domain administrator account and executing suspicious commands. The proposed method was able to detect the attack and send email notifications to security operators with important information such as the executed process name and compromised IP address and account, allowing for quick response to the incident.

In Advanced Persistent Threat (APT) attacks, attackers tend to target the Active Directory to expand infections. Attackers try to take over Domain Administrator privilege and create a backdoor called "Golden Ticket" which can disguise themselves as arbitrary legitimate accounts, in order to obtain long-term administrator privilege. However, detecting attacks using this method is quite difficult since attackers often leverage legitimate accounts and commands, which are not identified as anomaly.We will introduce a real-time detection method for attack activities leveraging Domain Administrator privilege including Golden Tickets by using Domain Controller Event logs. If we can detect attack activities with Domain Administrator privilege immediately, the damage can be minimized.Our proposed method consists of the following steps to reduce false detection rate and help immediate response.Step1 (Signature based detection): Firstly, analyze Event logs focusing on the characteristics of the attack activities.Step2 (Machine Learning): Analyze with anomaly detection using unsupervised machine learning and detect suspicious commands as outlier which attackers tend to use.Step3 (Real-time alert): If attack activities are detected, raise real-time alert using Elastic Stack.We have developed a tool for detection and published on GitHub. We also show the specific algorithm of the proposed method and how to implement the method. The method can be easily implemented, and help immediate response to attacks.