Skip to content

AD Tripwires - Getting Started

NodeZero Pentest Consideration

Having a NodeZero pentest running while setting up AD Tripwires may cause false positive tripwire triggers. Let ongoing pentests complete or cancel ongoing pentests before proceeding with AD Tripwire setup, specifically running the PowerShell command to configure accounts. If you opt to cancel pentests, you can start new pentests after AD Tripwire accounts are configured properly.

Initial Setup

1. Configure Active Directory Accounts

Setup AD Tripwires modal

  • Specify the Active Directory domain to configure for tripwires
  • Select AD tripwire account types
  • Specify user names for each selected AD tripwire account type
  • Specify a user name for a new service account that will be used by the AD Agent to audit tripwire events

2. Create Domain Policy

Download & Configure Domain Policy

The domain policy enables additional security event logging required for AD Tripwires detection across all domain controllers. Some events are enabled by default in Windows, while others are specifically enabled by the IoA Domain Policy.

Event Coverage:

  • Events enabled by default in Windows:
    • 1100: Event Log service has shut down
      Detects attempts to disable or tamper with event logging.
    • 1101: Audit events dropped by transport
      Indicates possible loss of audit data due to system or network issues.
    • 1102: Audit log cleared
      Alerts when the security log is cleared, which may indicate attacker log cleanup.
    • 1104: Security log full
      Warns when the security log is full and may stop recording new events.
  • Events enabled by the IoA Domain Policy:
    • 4625: Failed logon attempt (Kerberos or NTLM)
      Detects failed login attempts to tripwire accounts, such as password spraying or brute force attacks.
    • 4768: Kerberos authentication ticket (TGT) was requested
      Detects AS-REP roasting attempts against tripwire accounts with pre-authentication disabled.
    • 4769: Kerberos service ticket (TGS) was requested
      Detects Kerberoasting attempts by monitoring TGS requests for tripwire service accounts.
    • 4771: Kerberos pre-authentication failed
      Identifies failed Kerberos authentication attempts, including brute force or password guessing against tripwire accounts.
    • 4776: NTLM authentication failed (NTLM credential validation failure)
      Detects failed NTLM authentication attempts to tripwire accounts, such as brute force or password guessing using NTLM.

Requirements:

  • Domain policy template ZIP file (downloaded from portal)
  • Domain Admin privileges
  • Windows Server or workstation with Group Policy Management Console (GPMC) installed

Quick Setup Overview:

  1. Download the domain policy template ZIP file from the portal
  2. Create and configure a new Group Policy Object (GPO)
  3. Import the provided policy template
  4. Link the GPO to the Domain Controllers OU

Detailed Instructions: For complete step-by-step guidance with screenshots, see the Configuring Domain Policy guide

3. Deploy Tripwires and AD Agent

  • Specify the hostname of the domain controller the AD Agent will access to audit tripwire events
  • Specify how frequently the AD Agent will audit tripwire event logs
  • Specify which runner should be used to install the AD Agent
    • If no eligible runners are available, visit the Runners page to update your desired runner

Provision AD Accounts & Event Logging

Generate AD Install Command

Permission Requirements

The setup process requires specific permissions to provision the AD Tripwires infrastructure. The executing account must have:

Active Directory Permissions:

  • User Account Management: Create, delete, and modify user accounts
  • Service Principal Name (SPN) Management: Set SPNs on user accounts for Kerberoastable tripwires
  • User Attribute Modification: Modify user properties including:
  • Account descriptions (for exposed credential tripwires)
  • Pre-authentication settings (for AS-REP Roastable tripwires)
  • Account control flags

SYSVOL Permissions:

  • Directory Creation: Create the EventAnalytics directory in SYSVOL
  • Permission Management: Set appropriate permissions on the created directory
  • Full Control: Complete access to modify SYSVOL directory structure

Implementation Options:

  1. Domain Admin Account (Recommended): Includes all necessary permissions
  2. Custom Permissions:
  3. Add account to "Account Operators" group
  4. Grant "Full Control" on SYSVOL share
  5. Assign "Write All Properties" permission on User objects in AD

Setup Requirements

  1. Requirements:
    1. Windows server or workstation joined to the target domain
    2. Account with Domain Admin privileges or specific permissions listed above
  2. Generate command to run the provisioning process, which will:
    1. Configure tripwire event processing
    2. Provision a service account to enable H3 to access tripwire event data
    3. Provision all tripwire accounts
  3. Open PowerShell as Administrator
  4. Paste and run the command in the Administrator PowerShell session
  5. Confirm all tasks were completed successfully via Portal

Verify AD Agent Installation

  1. AD Agent installation will be automatically triggered after AD accounts are successfully provisioned and the provisioning process reports back to Portal.
  2. The AD Agent should become active within 5-10 minutes

AD Domain Management

Active Directory Domain Management Card