Now and again, we see online content that moves the community forward, a step or several steps. One such article appeared on Medium recently, titled Forensic Traces of Exploiting NTDS. This article begins developing the artifact constellations, and walks through forensics analysis of different means of credential theft on an Active Directory server.
We need to see more of these sorts of “how to investigate…” articles that go beyond just saying, “…look at the <data source>…”. Articles like this can be very useful because they help other analysts understand how to go about investigating these and similar issues.
The sole shortcoming of this article is that the research was clearly conducted by someone used to looking at forensic artifacts in a list; each artifact is presented individually, isolated from others, rather than as part of an artifact constellation. Analysts who come from a background such as this tend to approach analysis in this way, because this is how they were taught.
Further, about halfway through the article we see a reference to “Event ID 400”; the subsequent images illustrate the event source as being “Kernel-PNP”. However, this isn’t specified. If you Google for “event ID 400”, you find event sources such as Powershell, Microsoft-Windows-TerminalServices-Gateway, Performance Diagnostics, Veritas Enterprise Vault, and that’s just on the first page.
About a third of the way down the article (sorry, images are numbered for reference) there’s an image with the caption “Event ID 4688”. The important thing that readers need to understand with this image is that these do not appear in the Security Event Log by default. For these events to appear, successful Process Tracking needs to be enabled, and there’s an additional step, a This article has been indexed from Windows Incident Response