Full Report
John Strand // In this webcast John covers how to set up Active Directory Active Defense (ADAD) using tools in Active Defense Harbinger Distribution (ADHD) and talks about potential active […] The post WEBCAST: Your Active Directory Active Defense (ADAD) Primer appeared first on Black Hills Information Security, Inc..
Analysis Summary
# Tool/Technique: Active Directory Active Defense (ADAD) utilizing ADHD Tools
## Overview
Active Directory Active Defense (ADAD) is a defensive strategy focused on setting up proactive measures within an Active Directory environment to detect and potentially thwart attackers. This summary centers on the use of tools found in the Active Defense Harbinger Distribution (ADHD) to implement this defense.
## Technical Details
- Type: Technique/Framework Implementation
- Platform: Active Directory (Windows Domain Environments)
- Capabilities: Creating deceptive security elements (honey accounts, fake shares) to monitor and identify malicious activity within the environment.
- First Seen: Information derived from webcast published July 28, 2017.
## MITRE ATT&CK Mapping
The presented techniques are primarily focused on **Defense Evasion** (through deception) and **Collection** (monitoring honeytokens). Specific mappings are based on the actions described:
- **TA0005 - Defense Evasion**
- T1490 - Impair Defenses (Conceptual use in luring or distracting attackers)
- **TA0006 - Credential Access** (Monitoring use of decoys)
- T1600 - Credentials from Web Browsers (If honey accounts are used for login attempts)
- **TA0007 - Discovery** (Monitoring who interacts with decoys)
- T1087 - Account Discovery
- **TA0011 - Command and Control** (If callback mechanisms are involved)
- T1571 - Non-Standard Port (If C2 callbacks use unusual channels)
*Note: Since ADAD is a defensive methodology incorporating deception, specific ATT&CK mappings emphasize the adversary's interaction with the deception elements.*
## Functionality
### Core Capabilities
- Creation of **honey accounts**: Domain or local accounts designed solely for monitoring unauthorized usage.
- Creation of **fake SMB shares**: Decoy network shares intended to attract attackers searching for valuable data.
- Preparation for potential **Active Cyber Defense Certainty (ACDC)** considerations (though this touches on legal/policy aspects, the technical implementation supports legal monitoring).
### Advanced Features
- Creation of **callback word documents**: Documents embedded with mechanisms that trigger an alert or log activity when accessed or opened by unauthorized users, likely simulating data exfiltration trials.
## Indicators of Compromise
As ADAD focuses on *creating* indicators of compromise (IoCs) to detect intrusions rather than being malware itself, the IoCs derived are the artifacts created for deception:
- File Hashes: [N/A - Artifacts are custom created]
- File Names: [N/A - Names would be configured to look enticing]
- Registry Keys: [N/A - Not explicitly detailed, but any persistence mechanism used by callback docs would generate registry entries]
- Network Indicators: [N/A - Network indicators would be generated upon successful callback activation by an attacker (e.g., DNS lookups, HTTP requests to an analyst-controlled server)]
- Behavioral Indicators: Access attempts or authentication against configured honey accounts; SMB connection attempts to fake shares; opening of callback documents.
## Associated Threat Actors
This summary does not describe a known threat actor's tool but rather a defensive framework. Therefore, no associated threat actors are listed in this context.
## Detection Methods
Detection is the primary goal of ADAD:
- Signature-based detection: [Not primary for deception artifacts themselves, but for the resulting attacker activity.]
- Behavioral detection: **High-fidelity detection** based on interactions with honeytokens (attempts to authenticate to honey accounts, access fake shares, or execute callbacks).
- YARA rules: [Not explicitly detailed, but YARA could be used to identify specific known callback document templates if used consistently.]
## Mitigation Strategies
ADAD is a detection and active defense strategy, not a primary prevention measure, but its successful deployment mitigates the impact by providing early warning:
- Prevention measures: [Not the focus, but standard AD hardening is assumed.]
- Hardening recommendations: Ensuring monitoring systems are robust enough to capture all interactions with the decoy artifacts.
## Related Tools/Techniques
- **Active Defense Harbinger Distribution (ADHD)**: The collection of tools utilized to deploy ADAD.
- **Honeytoken/Honeypot Techniques**: General utilization of false assets to catch malicious activity.
- **Backdoors & Breaches**: Mentioned in the context links, suggesting alignment towards understanding adversary methodologies.