Detecting Abuse of Domain Administrator Privilege Using Windows Event Log

Fujimoto, Mariko; Matsuda, Wataru; Mitsunaga, Takuho

doi:10.1109/ains.2018.8631459

Cited by 7 publications

(3 citation statements)

References 0 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The title should be a comma-separated list with technical considerations. 33 The server includes additional extensions and is not required if their conditions are met (e.g., if extension A requires a specific GoLang that is not available on the server, then extension A is almost certainly not included at this point). It is possible to set default values for these alternatives when Sandcat is pulled from an attacker's machine.…”

Section: Methodsmentioning

confidence: 99%

Study of bypassing Microsoft Windows Security using the MITRE CALDERA Framework

Mohamed¹

2022

F1000Res

View full text Add to dashboard Cite

Background: Microsoft Windows Security is a recently implemented safeguard for the Windows operating systems, including the latest versions of Windows10 and 11. However, there is a major shortcoming in this system to stop Advanced Persistent Threat (APT). These are government-financed groups that are funded to attack other government entities. Following the initial security breach, the hacked Windows device is used to access the rest of the network devices in order to transfer data to external storage (Exfiltration). Methods: In this work, we have tested the Microsoft Windows Security system using MITRE CALDERA and ATT&CK frameworks and explain how APT groups are able to bypass Windows Security. Results: In this study we used "54ndc47" agent through GoLang feature in MITRE CALDERA platform to test and bypass Microsoft Windows Security systems (MS Windows 10). Through it, we were able to bypass the Windows Security system and display entire files in the victim's device. Conclusions: In this paper, we have provided recommendations to Microsoft to improve their Windows Security tool through the use of Artificial intelligence (AI).

show abstract

Section: Methodsmentioning

confidence: 99%

Study of bypassing Microsoft Windows Security using the MITRE CALDERA Framework

Mohamed¹

2022

F1000Res

View full text Add to dashboard Cite

show abstract

“…Fujimoto et al compared methods for detecting the abuse of domain administrator credentials proposed by other researchers. Since many detection methods are interested in detecting specific CVE's and attack methodologies like "Mimi Katz" or "Kerberoasting," the researchers are interested in combining the eclectic methodologies into a central repository of detection methods that can be used to detect abuse of domain administrator credentials into a single tool [29]. The researchers outline useful methods proposed by other researchers to detect abuse of domain administrator credentials.…”

Section: Detecting Abuse Of Domain Administrator Privilege Using Wind...mentioning

confidence: 99%

A Novel Method for Moving Laterally and Discovering Malicious Lateral Movements in Windows Operating Systems: A Case Study

Mailewa

Rozendaal²

2022

Adv. Technol.

View full text Add to dashboard Cite

Lateral movement is a pervasive threat because modern networked systems that provide access to multiple users are far more efficient than their non-networked counterparts. It is a well-known attack methodology with extensive research conducted investigating the prevention of lateral movement in enterprise systems. However, attackers use increasingly sophisticated methods to move laterally that bypass typical detection systems. This research comprehensively reviews the problems in lateral movement detection and outlines common defenses to protect modern systems from lateral movement attacks. A literature review outlines techniques for automatic detection of malicious lateral movement, explaining common attack methods utilized by advanced persistent threats and components built into the Windows operating system that can assist with discovering malicious lateral movement. Finally, a novel approach for moving laterally designed by other security researchers is reviewed and studied, an original process for detecting this method of lateral movement is proposed, and the application of the detection methodology is also expanded.

show abstract

“…The authors in [52] proposed a technique to detect attacks involving domain administrator accounts using Windows event logs. They proved that their scheme is efficient in detecting such attacks.…”

Section: Active Directory Attack Detectionmentioning

confidence: 99%

Active Directory Attacks—Steps, Types, and Signatures

et al. 2022

View full text Add to dashboard Cite

Active Directory Domain is a Microsoft service that allows and facilitates the centralized administration of all workstations and servers in any environment. Due to the wide use and adoption of this service, it has become a target for many attackers. Active Directory attacks have evolved through years. The attacks target different functions and features provided by Active Directory. In this paper, we provide insights on the criticality, impact, and detection of Active Directory attacks. We review the different Active Directory attacks. We introduce the steps of the Active Directory attack and the Kerberos authentication workflow, which is abused in most attacks to compromise the Active Directory environment. Further, we conduct experiments on two attacks that are based on privilege escalation in order to examine the attack signatures on Windows event logs. The content designed in this paper may serve as a baseline for organizations implementing detection mechanisms for their Active Directory environments.

show abstract

Detecting Abuse of Domain Administrator Privilege Using Windows Event Log

Cited by 7 publications

References 0 publications

Study of bypassing Microsoft Windows Security using the MITRE CALDERA Framework

Study of bypassing Microsoft Windows Security using the MITRE CALDERA Framework

A Novel Method for Moving Laterally and Discovering Malicious Lateral Movements in Windows Operating Systems: A Case Study

Active Directory Attacks—Steps, Types, and Signatures

Contact Info

Product

Resources

About