TL;DR Walthrough of the Recovering AD TryHackMe room.
A full list of our TryHackMe walkthroughs and cheatsheets is here.
Background
This is one of the random rooms I did on TryHackMe just to keep my streak going while I was finishing up my Masters degree. Thankfully that’s done now, so I have more time for TryHackMe, home labbing, and self study.
This isn’t a bad room per se, however I’m not sure it stressed just how serious a complete and total breach of Active Directory is. In many cases simply restoring AD is not enough. One has to remember that if an attacker gains control of AD they also control
- Every single user account in AD
- Every single group in AD
- Every single folder/file in the domain, as access to the data depends on NTFS DACLs, group membership, and ownership
- Group Policy
- Every single domain joined machine
They could install a keylogger on every domain system that sends the keystrokes back to their C2 server, for example. Simply restoring AD from a backup won’t remove that keylogger and the attacker would immediately re-compromise the organization.
They could create a scheduled task on a DC that dumps the krbtrg or all of NTDS.dit and sends the info back to their C2.
The point is that persistence is not my strong suite and there are those out there who are far more clever than myself. Hence the information in this room is useful, just bear in mind that you might be re-imaging every single domain system and re-creating AD following a breach.
The Q & A
As always we connect via:
xfreerdp /v:10.10.50.82 /u:thm\\Administrator /p:recover@123 /dynamic-resolution
— — Task 1 — -
I can connect to the machine.
No answer needed
What is the flag value after connecting to the machine?
Get-Content C:\Users\Administrator\Desktop\flag.txt
THM{I_CAN_CONNECT}
— — Task 2 — -
What type of backups can be obtained from the Windows Server Backup utility (write the correct option only)? A: One-time B: Incremental C: Both A and B.
C
How would you launch the Windows Server Backup utility through the Run dialog box?
wbadmin.msc
Is it good practice to isolate the infected network infrastructure for detailed network monitoring? (yea/nay).
yea
— — Task 3 — -
How many machines in the domain can you find when using PowerView?
(Get-ADComputer -Filter *).Count
11
What is the name of the utility in Windows that displays and keeps track of all the events?
Event Viewer
— — Task 4 — -
What is the email address for the user evil.guy?
(Get-ADUser evil.guy -Properties *).EmailAddress
hack@crypto
What is the total number of users logged on after Dec 1, 2022?
#Look for LastLogonDate -gt December 1, 2022
Get-ADUser -Filter {LastLogonDate -gt "12/1/2022 00:00:00 AM"} -Properties * | Select-Object SamAccountName, LastLogonDate
1
What event ID will be logged if a user is removed from a universal security group?
4757
(Also 5136)
— — Task 5 — -
Reset the password for the user evil.guy.
Set-ADAccountPassword -Identity evil.guy -Reset -NewPassword (ConvertTo-SecureString -AsPlainText “RecoveryingAD123!” -Force)
No answer needed
What is the command to perform the password reset operation for a computer in the domain?
Reset-ComputerMachinePassword
What is the security vulnerability that involves abusing Kerberos service tickets called?
silver ticket abuse
— — Task 6 — -
The type of attack that allows attackers to impersonate a domain controller and receive/forward requests on behalf of the domain controller is called?
DCSync
Is synchronising time on all network devices important to correlate logs on different devices? (yea/nay).
yea
— — Task 7 — -
Click the View Site button at the top of the task to launch the static site in split view. What is the flag after completing the exercise?
THM{I_HAVE_RECOVERED_AD}
— — Task 8 — -
I have completed the room.
No answer needed.
Querying some more because I was curious
Let’s query the SID for that account that was created and then check the Security log for anything with that SID.
$SID = (Get-ADUser evil.guy).SID.Value
$Events = Get-EventLog -LogName Security | Where-Object {$_.Message -like "*$SID*"}
#Get a count of events RE this SID
$Events.Count
13
#Pull a specific event by its position in the return
$Events[0] #most recent event
$Events[12] #oldest/initial event
Rough timeline
- Evil.Guy was created [12 Apr at 12:19]
- Password was set [by the Administrator, aka SID 500]
- Evil.Guy was disabled by the Administrator [4738, UAC set to 0x11]
- Evil.Guy was enabled by the Administrator [4738, UAC set to 0x10]
- Evil.Guy was added to Administrators by the Administrator
- Evil.Guy was added to Domain Guests
- Evil.Guy was added to Group Policy Creator Owners
- Evil.Guy was removed from Group Policy Creator Owners
- Evil.Guy was added to Remote Desktop Users
There was also 2 new GPOs created. One allowed all Domain Users to RDP and the other one enabled logging of policy changes.
Get-EventLog -LogName Security | Where-Object {$_.Message -like “*922c68db-5d6a-46d9-a3a7–2dd78d6dffe4*”}
and we find that the GPO has Event ID 4662 on 13 Apr at 14:14
Of course a simple way to check for the DTG a given GPO was created and/or modified is to simply query AD.
Get-ADObject -Filter * -SearchBase “CN=Policies,CN=System,DC=thm,DC=local” -Properties * | Select-Object DisplayName, Created, Modified
Summary
We have gone over Group Policy before here and querying logs here, not to mention lots of previous TryHackMe walkthroughs that covered these topics.
I feel like it bears repeating; if a real attacker completely and totally compromises your AD then you are probably looking at a complete re-build of everything. If the attacker knows what they are doing they will leave so many persistence mechanisms behind that you will never be able to fully trust that domain again.
Just be clear, a single successful dump of NTDS.dit [via DCSync, secretsdump, DSInternals, etc] constitutes a complete and total compromise of AD. An attacker logging on as The Administrator, aka SID 500 in AD, is also a complete and total compromise.
One’s organizational policy will dictate exactly how to respond and more than likely someone higher up the chain will call the shots on this. Just realize how serious this is, but then the entire org may be looking at something like this anyway.
If you haven’t already seen it, read up on the Maersk story of a complete and total AD compromise here: https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/
References
A skilled APT breach requires a complete re-build: https://www.active-directory-security.com/2017/06/the-impact-of-an-active-directory-security-breach.html
Get-GPOReport: https://sid-500.com/2023/05/02/documenting-all-gpos-with-powershell/
UAC codes: https://www.reddit.com/r/sysadmin/comments/f67o6o/windows_event_id_4738/
NotPetya: https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/
Finding DCSync in the logs: https://www.linkedin.com/pulse/mimikatz-dcsync-event-log-detections-john-dwyer/