Active Directory Advanced Threat Hunting - Compare GPOs with the Security Compliance Toolkit

MVP

 

Dear Microsoft Active Directory friends,

 

Even in the age of digital transformation, group policy settings (still) play a crucial role in maintaining network security and compliance. Advanced Hunting, an advanced technique for monitoring and analyzing these settings, is an indispensable tool for administrators. This method makes it possible to gain in-depth insights into the configuration and security situation of Windows networks. By using specific tools and scripts, professionals can detect security vulnerabilities, identify configuration errors and ensure that all group policies meet the highest security and compliance requirements. This article introduces the concept of Advanced Hunting for Group Policy settings and how it can transform management and security in IT infrastructures.

 

Do we now need additional software and/or expensive tools? No, all we need is a little time, curiosity and the "Security Compliance Toolkit", which Microsoft is making available to us free of charge (thanks to Microsoft at this point).

 

But first let's take a closer look at the MITRE techniques and the relevant Windows Event IDs. Before we start analyzing the group policy settings.

 

We start with a list of MITRE techniques:

 

Domain Policy Modification

Domain Policy Modification: Group Policy Modification
 
Group Policy Discovery
 
Domain Policy Modification: Domain Trust Modification
 
Unsecured Credentials: Group Policy Preferences
 
The Windows Event ID's for the MITRE techniques:

 

Domain Policy Modification
4739(S): Domain Policy was changed
 
Group Policy Discovery
Appendix L: Events to Monitor
 
Domain Policy Modification: Domain Trust Modification
4716(S): Trusted domain information was modified
 
Compare the Default Domain Controllers Policy with the security baselines using the Policy Analyzer!

 

So that we can compare the Default Domain Controllers Policy, we create a backup:

pol_0.png

 

Security Compliance Toolkit and Baselines can be downloaded here:
https://www.microsoft.com/en-us/download/details.aspx?id=55319

 

We need the necessary tools and baselines:

pol_1.png

 

Extract the files:

pol_2.png

 

From the Windows-Server-2022-Security-Baseline-FINAL folder, copy the following file:

pol_3.png

 

Paste the file in the Policy Analyzer folder:

pol_4.png

 

Open the Policy Analyzer:

pol_5.png

 

NOTE: If you have a low screen resolution you may not be able to see the bottom part of the application. It is important that you see the bottom part so that you can adjust the path to the policy rule sets (see red marker).

 

Now we have to add the default domain controller policy:

pol_6.png

 

Click on the import button:

pol_7.png

 

Give it a name and then click on safe:

pol_8.png

 

Now you can compare the policy with the security baseline:

pol_9.png

 

HAPPY COMPARING!

 

If you want to examine your Active Directory with PowerShell, you will find a "small" compilation of various PowerShell scripts in the following link:

https://github.com/tomwechsler/Active_Directory_Advanced_Threat_Hunting/tree/main/PowerShell

 

NOTE: Before using these scripts, make sure that you have the necessary authorizations. This should always be in writing. Although the scripts do not change any settings or manipulate the system, it is your responsibility how you use these scripts!

 

I hope that this information is helpful to you and that you have been given a good "little" foundation. This article/information is by no means complete and exhaustive. But I still hope that this information is helpful to you.

 

Thank you for taking the time to read the article.

 

Happy Comparing and Hunting, Tom Wechsler

 

P.S. All scripts (#PowerShell, Azure CLI, #Terraform, #ARM) that I use can be found on github! https://github.com/tomwechsler

5 Replies
This has never been explained better,
Great Work Tom !!!

P.S. See also OnBoarding Accelerator Implementing Secure Baselines in our Workshoplist 😉

@TomWechsler 

 

Sorry, my AD knowledge is near to 0. 

But why do you choose the default Domain Group Policy? We have near 100 different GPOs. Do we have to take every one and back it up and run the compare against them? 

 

BR

 

Rob