Five Challenges with Monitoring Active Directory Security Using Event Logs: Part 5

Now that we understand how monitoring authentication patterns and authentication-based attacks can lead to an overwhelming amount of data which prevents any meaningful analysis, we can focus on our fifth, and final challenge of monitoring critical systems.

Challenge 5 – Permission Changes and Object Changes

Some of the most important changes to monitor within Active Directory are the changes to the security of the containers and objects.  Permissions control who can elevate privileges by changing group policies, adding members to administrative groups, or causing outages by moving or deleting objects.  Having weak permissions leaves an organization exposed to easy exploitations.

With so much impacted by permissions, it is necessary to know when permissions change and to understand the impact of those changes.  While Active Directory does log events for permission changes, the information within those events is extremely difficult to understand.  The details about the permissions change are represented using Security Descriptor Definition Language (SDDL), as shown in Figure 5.  

In addition to being cryptic and requiring translation to make it usable, this information does not identify what the permission change was.  To understand the change it is necessary to look at two separate events that are logged. The original permission will be represented in the first event, indicating the deletion of the original permissions. This event is followed by a second event, showing the new permissions.  To understand the difference, you must compare the two to see what changed. 

The same applies not only to permission changes but also to object protection.  Object protection is a feature of Active Directory that helps prevent accidental deletion of objects such as users, groups, and OUs.  When this is turned off, it is very easy to delete an object and therefore this is enabled on most critical objects.  Turning this feature off is definitely worth monitoring, however, this change is represented by events similar to Figure 4 where you see the details represented in SDDL.  

Representing permission changes and object protection changes with this cryptic language makes it very difficult to understand how the security of Active Directory is changing and whether the changes are worth alerting on or not.

Active Directory essentially contains the keys to the kingdom, which is why it’s such a popular target for attackers. Through this blog series, we’ve explored various reasons that monitoring Active Directory can be difficult. The challenges we discussed include:

• Group membership changes
• Group policy changes
• Monitoring directory reads
• Tracking authentication events
• Permission changes and object changes

Since attackers continue to evolve, critical system monitoring must improve at an even quicker pace. It’s clear that event logs come with limitations that make it increasingly more difficult for customers to secure their organization from these attacks.

Click here to learn how STEALTHbits tackles Active Directory Management and Security.

Other blogs in the series:

• Five Challenges with Monitoring Active Directory Security Using Event Logs: Part 1
• Five Challenges with Monitoring Active Directory Security Using Event Logs: Part 2
• Five Challenges with Monitoring Active Directory Security Using Event Logs: Part 3
• Five Challenges with Monitoring Active Directory Security Using Event Logs: Part 4