Thursday, February 23, 2017

Setting up a Pentesting... I mean, a Threat Hunting Lab - Part 4

It is time to create new Organizational Units (OUs), Users, Groups, GPOs, and join computers to our domain. Also, since we are going to learn how to create a GPO, I will show you how you can increase the visibility on your endpoints from a logging perspective by creating a more robust Audit Policy. Quoting Sean Metcalf "Securing Domain Controllers is only one part of Active Directory Security. Another is being able to detect anomalous activity which starts with logging." [source]

Creating Organizational Units (OUs)

Reasons to create OUs

Remember that OUs are used to structure data within an Active Directory. Typically, there are three reasons why you might need to create an OU:

  • Segregate Objects: It is common practice to group related data into an OU. For example, user and computer objects are typically stored in separate containers.
  • Delegate Administration: One of the primary reasons for creating an OU is to delegate administration. With OUs you can give a person or a group or people rights to perform certain administrative functions on objects within an OU.
  • Appy GPO: An OU is the lowest-level container object that a GPO can be applied to. If you have different types of users within your organization that need to apply different GPOs, the easiest way to set that up is by storing the users in different OUs and apply GPOs accordingly. 

How to create OUs?

To get started open your start menu and go to your "Apps" section. You can click the arrow pointing down, and it will take you to it. Click on "Active Directory users and Computers" 

Figure 1. Start Menu.

Figure 2. Apps Menu. Selecting Active Directory Users and Computers.

You will see the default OUs on the right panel that belong to your root domain name.

Figure 3. Active Directory Users and Computers Console.

Right click on your domain name > New > Organizational Unit.

Figure 4. Creating a new Organizational Unit.

Give it a name. You can start off with something like locations or different departments in your fake/lab organization. It will be all up to you how you want to set this up. We can start creating a Marketing OU as shown in figure 5 below.

Figure 5. Naming our first OU.

Figure 6. First OU created.

How do you delete a protected OU?

  • Click on View and enable Advanced Features
  • Right click on the protected OU you want to delete and select properties
  • Click on the tab name "object", and you will see that the checkbox for option "Protect object from deletion" is checked. All you have to do is click on the checkbox to disable that option.
  • Click Apply and OK
  • Now you can right click on the OU you just disable the "Protect object from deletion" option, and select Delete (Confirm you want to delete the OU by clicking yes on the warning message)

Figure 6. Enabling Advanced Features.

Figure 7. Organizational Units panel.

Figure 8. Marketing's Properties.

Figure 9. Marketing OU properties. Protect object from accidental deletion.

Figure 10. Marketing OU properties. Disabling "Protect object from accidental deletion".

Figure 11. Deleting OU.

Figure 12. Confirming deletion of OU.

Figure 13. Marketing OU successfully deleted. 

Finally, if you want to have an idea on how you could organize your OUs in a similar way how an organization would do it, check figure 14 below. (I have seen several mid-sized organizations doing it like that). That's how I have mine set up.

Figure 14. OUs example.

Creating Users

One way to create users is by using the same "Active Directory Users and Computers" console. Click on the OU you created to store domain users and right click on the right panel > select New > User option.

Figure 15. Creating users.

Type the name of the new user, the user logon name and click Next.

Figure 16. Creating users.

Type a password for your user, password properties and click Next.

Figure 17. Creating users.

If you want your user to change his or her password at next logon, check the option "user must change password at next logon".

Figure 18. Creating users.

Figure 19. user successfully created. 

There is another way to create users and it is through the new Active Directory Administrative Center console which I will show you later after creating a group. What you can try also, if you want to, is to follow a great article from Carlos Perez which shows you how to create real looking users accounts for your AD Lab (over 2000 users at once)

Creating Groups

Types of groups in Active Directory

  • Distribution Groups: Used to create email distribution lists.
  • Security Group: used to assign permissions to shared resources.

Group Scope

Groups are characterized by a score that identifies the extent to which the group is applied in the domain tree of forest. The scope of the group defines where the group can be granted permissions. [Source]

Possible Members
Scope Conversion
Can Grant Permissions
Possible Member of
Accounts from any domain in the same forest
Global groups from any domain in the same forest
Other Universal groups from any domain in the same forest
Can be converted to Domain Local scope
Can be converted to Global scope if the group does not contain any other Universal groups
On any domain in the same forest or trusting forests
Other Universal groups in the same forest
Domain Local groups in the same forest or trusting forests
Local groups on computers in the same forest or trusting forests
Accounts from the same domain
Other Global groups from the same domain
Can be converted to Universal scope if the group is not a member of any other global group
On any domain in the same forest, or trusting domains or forests
Universal groups from any domain in the same forest
Other Global groups from the same domain
Domain Local groups from any domain in the same forest, or from any trusting domain
Domain Local
Accounts from any domain or any trusted domain
Global groups from any domain or any trusted domain
Universal groups from any domain in the same forest
Other Domain Local groups from the same domain
Accounts, Global groups, and Universal groups from other forests and from external domains
Can be converted to Universal scope if the group does not contain any other Domain Local groups
Within the same domain
Other Domain Local groups from the same domain
Local groups on computers in the same domain, excluding built-in groups that have well-known SIDs

Creating a new Security - Domain Local Group

One common security group that is created in organizations is the "Workstations Administrators" group, and even though we are trying to keep our environment as basic and vulnerable as possible, it is a good exercise to understand how groups and GPOs work together to access resources in your domain. Our security group can be used to allow IT staff log on on to workstations with administrative privileges. We can still enable built-in administrators (RID 500) accounts in our workstations to test simple pass-the-hash attacks in future posts.

Go back to your Active Directory Users and Computers console, and click on the OU where you want to store your new group. I created an OU named "Groups" and two sub-groups "Distribution" & "Security". Right click on the OU (in my case Security) > New > Group.

Figure 20. Creating new group.

Based on the definitions provided above about group types and scopes, I created a Security Group with a Domain Local scope and named it " SG DL HF (domain name) Workstation Administrators"

Figure 21. Creating a new Security group - Domain Local scope.

Create a new user and add him or her to the new group

Now that we have our security group created, we can add users to it. We can just edit the profile of an existing user and add him or her to the security group. However, this time I want to show you how you can create a user and add him or her to an existing group at the same time by using the new Active Directory Administrative Center.

To get started open your start menu and go to your "Apps" section. You can click the arrow pointing down, and it will take you to it. Click on "Active Directory Administrative center" as shown in figure 22 below.

Figure 22. Active Directory Administrative Center Menu App.

Figure 23. Active Directory Administrative Center Overview.

If we expand our root domain name hf on the left panel, we can see that we can still navigate through all our custom OUs the same way how we did it while creating them via the Active Directory Users and Computers console. For this exercise, I browsed to my HF OU > Users > Global IT  organizational unit.

Figure 24. Navigating through OUs in Active Directory Administrative Center console. 

Figure 25. Selecting HF OU > Users > Global IT OU.

Fill out the necessary fields to create the new user. As you can see, we already have more options than what we had by default from the Active Directory Users and Computers console. 

Figure 26. Creating new user. 

Scroll down, and you will see even more options such as "Member Of" to add user to a group, Profile Paths, log on scripts and even authentication policies. We just click the option "Add" in the Member Of section, type our Security group name "SG DL HF Workstation Administrators", Click on Check names, and if the group exists, the name of our group gets underlined. Finally, click Ok and the user will be a member of that group as soon as it is created. 

Figure 27. More options such as Member of, Directly Associated Password Settings and Authentication policies.

Figure 28. Adding new user to a group. Security Group "Workstation Administrators".

Click Ok again and the user will be created. 

Figure 29. User settings configured and ready to be created. 

We already have a security group to store users that will be able to log on to computers with administrator privileges, but without a GPO with the right policy that allows users in that group log on to computers in the domain with administrator privileges, it will not work.

Creating Group Policy Objects (GPOs)

GPOs Overview

A Group Policy object (GPO) is a logical object composed of two components, a Group Policy container and a Group Policy template. Windows stores both of these objects on domain controllers in the domain. The Group Policy container object is stored in the domain partition of Active Directory. GPOs contain policy settings. You can think of GPOs as policy documents that apply their settings to the computers and users within their control.

Group Policy objects and their settings apply to computers and user to which they are linked. You can link GPOs to an Active Directory site, domain, organizational unit, or nested organizational unit. [Source]

Linking GPOs

Understanding Group Policy scope requires knowing where to link Group Policy objects so they apply to users or computer. To enable a Group Policy object to apply to a user or computer, you associate it with a specific location within Active Directory. Associating a Group Policy object with an object in Active Directory is called linking. Active Directory has rules that govern where you can link Group Policy objects. Active Directory objects to which you can link Group Policy objects include: [Source]
  • Site objects
  • Domain objects
  • Organizational Unit objects

Setting up our Workstations Administrator GPO

To get started, open your start menu and go to your "Apps" section as shown in figure 1 and 2. Click on "Group Policy Management" and select the OU which the policy will be applied to. In this case since we are trying to have users logging on to computers in the network with administrator privileges, I select my "Clients" OU.

Figure 30. Group Policy Management Console. 

Right click on the OU, select "Create a GPO in this domain, and link it here.." and give it a name.

Figure 31. Creating a GPO on Clients OU.

Figure 32. Naming our GPO.

Figure 33. GPO successfully created but not configured yet. 

Configure your new GPO by right clicking on it and selecting Edit.

Figure 34. Editing new GPO.

Once in the Group Policy Management Editor console, do the following:
  • Expand Computer Configuration > Preferences > Control Panel Settings > Local Users and Groups
  • As you can see in figure 35 below, there are not groups or users set up yet. Right click on it and select New > Local Group
  • Set "Group Name" to Administrators (built-in)
  • In the "Members Section", click on the option "Add"
  • Look for the group you want to add to it. In our case, it will be our "SG DL HF Workstation Administrators"
  • Click Ok, Ok , Apply and Ok again.

Figure 35. Adding a new local group to our new GPO.

Figure 36. Selecting a specific group name . Administrators (Built-in).

Figure 37. Group name set to Administrators (built-in).

Figure 38. Adding a Local group member to the GPO. SG DL HF Workstation Administrator.

Figure 39. Confirming addition of  Local Group Member. 

Figure 40. New Local Group Properties. 

Figure 41. Applying changes.

Figure 42. GPO edited successfully. 

Now, whenever you add a windows system to your domain and check the local administrator group members, you will see your Security group in it as shown in figure 43 below.

Figure 43. Checking Local Administrator Group members.

But how can I test this if I don't have computers joined to my domain? (First make sure that you have your Windows 7 boxes set up and with IP addresses leased by your own Windows Server 2012.)

Joining computers to our domain

Want to redirect computers joined to your domain to an specific OU?

Before we start joining computers to our domain, we can set a new default container location to store computers joining our domain. For this, you will just have to use the "redircmp" command and the "Distinguished Name (DN)" of the container that will become the default location for newly created computer objects. 

Figure 44. Redirecting default container for computers being joined to the domain. 

Joining our first computer to our domain

As you can see in figure 45 below, our Windows 7 computer is not part our domain yet. It is part of a Workgroup named WORKGROUP. To get started click on "Change Settings"

Figure 45. System Information before joining it to our domain.

Next, in the "Computer Name" section click on the option "Change". Select the option Domain and type the name of your domain. I typed and clicked Ok.

Figure 46. Adding our system to our domain.

If for some reason you get the error in figure 47 below, make sure you can ping your DC and have your DC IP address as your primary DNS server.

Figure 47. Active Directory DC could not be contacted.

If your system can communicate with the DC, you will get a prompt to enter privileged credentials. I entered the credentials of our user that has administrator privileges.

Figure 48. Credentials to join computer to the domain. 

If everything goes well, you will receive a welcome message to your domain.

Figure 49. Welcome to the domain. 

Next, click Ok and restart your system.

Figure 50. Restarting system to apply changes.

Figure 51. Restarting system to apply changes.

After restarting your system, click on "Switch User" and select other user.

Figure 52. Switching user.

Figure 53. Switching user.

You can see that our user will be automatically logging on to HF (our domain)

Figure 54. Logging onto HF. 

Figure 55. Logging onto HF.

Now your computer will not longer be part of WORKGROUP. It will be part of the domain

Figure 56. Domain

If you go back to your DC's Active Directory Users and Computers console, you will see that the computer that you just joined to the domain will show up inside of the OU we set earlier as the default container to store computers joining the domain. If it is not there, just refresh your console, and it should show up. 

Figure 57. Computer showing inside of default container for computers joining the domain. 

If you want to go the extra mile and move your computer to another sub-OU, you can do it manually by selecting the computer and dragging it to the the right OU. Click yes and it will be moved to the set location. You can automate this with a script or Group Policy. 

Figure 58. Moving computers to sub-containers.

Awesome! so up to this point, we have most of the basic configurations of a domain setup taken care of. However, in order to increase the visibility on our domain endpoints from a logging perspective, it is important to create a more robust audit policy.

Creating a more robust Audit Policy

To get started open your Group Policy management console, right click on "Group Policy Objects", and select the options "New".

Figure 59. Creating new GPO.

Give it a name. I named mine "Full Domain Auditing Policy" and click Ok.

Figure 60. Naming our new GPO.

Right click on the new GPO and click on Edit. 

Figure 61. Editing Full Domain Auditing Policy. 

Prior to Windows Server 2008, Windows auditing was limited to 9 items. [Source]

Figure 62. Default Audit Policy items. 

Starting with Windows Vista & Windows Server 2008, Windows auditing is expanded to 57 items. [Source]

Figure 63. Additional 57 items to the Audit Policy. 

Go back to your Local Policies > Audit Policy, right click on each item, select properties and define the policy settings by selecting the attempts you want to audit.

Figure 64. Editing items in Local Policies - Audit Policy

Figure 65. Defining policy settings. 

Figure 66. First policy item set up successfully. 

Following Sean Metcalf's Full Domain Auditing Policy, I set up mine as shown in figure 67 below. 

Figure 67. Local Policies - Default Audit Policy set up. 

Now, before setting up your additional 57 items of your "Full Domain Auditing Policy", I believe it is important to take a look at what Microsoft recommends:

Microsoft Recommendations:

Audit Policy Category or SubcategoryWindows Default
Success Failure
Baseline Recommendation
Success Failure
Stronger  Recommendation
Success Failure
Account Logon
Audit Credential ValidationNo NoYes YesYes Yes
Audit Kerberos Authentication ServiceYes Yes
Audit Kerberos Service Ticket OperationsYes Yes
Audit Other Account Logon EventsYes Yes
Account Management
Audit Application Group Management
Audit Computer Account ManagementYes DCYes Yes
Audit Distribution Group Management
Audit Other Account Management EventsYes YesYes Yes
Audit Security Group ManagementYes YesYes Yes
Audit User Account ManagementYes NoYes YesYes Yes
Detailed Tracking
Audit DPAPI ActivityYes Yes
Audit Process CreationYes NoYes Yes
Audit Process Termination
Audit RPC Events
DS Access
Audit Detailed Directory Service Replication
Audit Directory Service AccessDC DCDC DC
Audit Directory Service ChangesDC DCDC DC
Audit Directory Service Replication
Logon and Logoff
Audit Account LockoutYes NoYes No
Audit User/Device Claims
Audit IPsec Extended Mode
Audit IPsec Main ModeIF IF
Audit IPsec Quick Mode
Audit LogoffYes NoYes NoYes No
Audit LogonYes NoYes YesYes Yes
Audit Network Policy ServerYes Yes
Audit Other Logon/Logoff EventsYes Yes
Audit Special Logon 
(Configuring Special Logon Auditing)
Yes NoYes NoYes Yes
Object Access
Audit Application Generated
Audit Certification Services
Audit Detailed File Share
Audit File Share
Audit File System
Audit Filtering Platform Connection
Audit Filtering Platform Packet Drop
Audit Handle Manipulation
Audit Kernel Object
Audit Other Object Access Events
Audit Registry
Audit Removable Storage
Audit SAM
Audit Central Access Policy Staging
Policy Change
Audit Audit Policy ChangeYes NoYes YesYes Yes
Audit Authentication Policy ChangeYes NoYes NoYes Yes
Audit Authorization Policy Change
Audit Filtering Platform Policy Change
Audit MPSSVC Rule-Level Policy ChangeYes
Audit Other Policy Change Events
Privilege Use
Audit Non Sensitive Privilege Use
Audit Other Privilege Use Events
Audit Sensitive Privilege Use
Audit IPsec DriverYes YesYes Yes
Audit Other System EventsYes Yes
Audit Security State ChangeYes NoYes YesYes Yes
Audit Security System ExtensionYes YesYes Yes
Audit System IntegrityYes YesYes YesYes Yes
Global Object Access Auditing
Audit IPsec Driver
Audit Other System Events
Audit Security State Change
Audit Security System Extension
Audit System Integrity

I set up my policy items the following way:

Account Logon

Figure 68. Account Logon Policy.

Account Management

Figure 69. Account Management Policy.

Detailed Tracking

Figure 70. Detailed Tracking Policy. 

DS Access

Figure 71. DS Access Policy.


Figure 72. Logon/Logoff Policy.

Object Access

Figure 73. Object Access Policy.

Policy Change

Figure 74. Policy Change Policy.

Privilege Use

Figure 75. Privilege Use Policy.


Figure 76. System Policy.

Global Object Access

Figure 77. Global Object Access Policy.

One last step ! Group Policy allows audit policy to be set only at the category level, and existing Group Policy settings may override the subcategory settings of new computers as they are joined to the domain or upgraded. Enabling the Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings  policy settings allows audit policy to be managed by using subcategories without requiring a change to Group Policy. [Source]

Figure 78. Enabling Audit security option.

Right click on the Security Option Policy item, click Properties, Enable it, and apply it.

Figure 79. Enabling Audit security option

Figure 80. Enabling Audit security option

Figure 81. Enabling Audit security option

Link new "Full Domain Auditing Policy" GPO to the domain

Go back to your Group Policy Management Console, right click on your domain name and select "Link an Existing GPO".

Figure 82. Linking an existing GPO.

Select your new GPO ("Full Domain Auditing Policy")

Figure 83. Linking an existing GPO.

You will now see your new GPO under your root domain which means that it will be applied to your whole domain.

Figure 84. Linking an existing GPO.

Make sure you force a user and computer policy update on your systems by executing gpupdate /force as shown in figure 85 below.

Figure 85. Updating user and computers policies. 

You have officially set up and configured your own domain at home. As I explained before, I highly encourage you to do more research and customize your own. Now, this is a good time to take a snapshot of your DC VM and your other Windows systems in your domain. Remember that if you make any major changes to your domain, make sure you create snapshots. 

On the next post, I will show you how to set up our own hunting platform with the help of Elasticsearch, Logstash & Kibana (ELK). 

Feedback is greatly appreciated!  Thank you.

No comments:

Post a Comment