Login Papers Register

Need an account to vote? Register to attend at gsec.hitb.org/sg2018/
Deadline is 30th June 2018!

<< previous next >>

Detecting APT Attacks Against Active Directory Using Machine Learning

Wataru Matsuda & Mariko Fujimoto

0 vote(s)

In Advanced Persistent Threat (APT) attacks, attackers who can intrude into an organization network tend to stay inside the network or repeat intrusion multiple times until they are able to accomplish their final goals such as exploiting sensitive information. When Active Directory, a centralization management system for Windows computers, is in place, attackers tend to attack against the Active Directory to expand infections effectively. Moreover, Attackers try to get Domain Administrator’s privilege which is the highest privilege of Active Directory environment. Attackers who can get the Domain Administrator’s privilege likely create a backdoor called "Golden Ticket" that disguises itself as a legitimate account, in order to obtain long-term administration privilege.

The Golden Ticket is a Kerberos authentication ticket created by attackers with a legitimate signature. Attackers who got the Domain Administrator’s privileges can create authentication tickets with a significantly long term of validity (e.g. ten years) to any given Domain Administrator’s account. Attackers who successfully create the Golden Ticket are able to disguise themselves as arbitrary Domain Administrator’s accounts for a long time. The extended validity of the Golden Ticket enables attackers to continuously use it even after the password of the compromised account is changed.

Furthermore, since the Golden Ticket has a legitimate signature, it is very difficult to differentiate it from a legitimate Kerberos authentication. The use of the Golden Ticket indicates that Active Directory environment is under the full control of the attackers, thus requiring immediate detection and appropriate countermeasures. However, detecting attacks with the Golden Ticket is quite difficult since attackers tend to leverage legitimate accounts or legitimate tools/commands provided by Microsoft in order to avoid detection.

Some methods for detecting attacks against Active Directory have been proposed, for instance comparing logs related to process execution with the blacklist of tools which attackers tend to use, monitoring authentication requests from unexpected source computers, etc. However, it is difficult to detect attacks if legitimate accounts or built-in Windows commands are leveraged. Detection is also difficult if attackers change the executable file name of the attack tools to avoid detection.

Furthermore, an enterprise product is released that detects attacks through monitoring Domain Controller’s network traffic. However, the product is expensive, and implementation is not always easy because you have to change the current network structure. For these reasons, you need a method which realizes low false detection rate and easy implementation with low cost.

In this research, we propose a new method for detecting attacks against Active Directory through focusing on specific characteristics of APT attacks and statistics of commands/tools which attackers tend to use. There are some stages of attacks against Active Directory, we especially focus on detecting attacker’s activities with Domain Administrator’s privilege.

The proposed method consists of the following two steps.

Step 1 (Logical Detection): Logical Detection using multiple indicators
Step 2 (Machine Learning): Outlier Detection using unsupervised learning

 

===

Wataru Matsuda joined NTT WEST, Ltd. in 2006. In 2015, he joined Watch and Warning Group of JPCERT/CC, where he was engaged in information gathering and early warning activities. Now as Project Researcher of Secure Information Society Research Group, the University of Tokyo, he is engaged in research on cyber security especially log analysis for detecting targeted attacks.

---

Mariko Fujimoto joined NEC Solution Innovators, Ltd. in 2004 and worked for development of software and systems for internal control. In 2015, she joined Watch and Warning Group of JPCERT/CC, where she was engaged in information gathering and early warning activities. Now as Project Researcher of Secure Information Society Research Group, the University of Tokyo, she is engaged in research on cyber security especially log analysis for detecting targeted attacks.