AD Tripwires - Getting Started
NodeZero Pentest Consideration
Having a NodeZero pentest running while setting up AD Tripwires may cause false positive tripwire triggers. Let ongoing pentests complete or cancel ongoing pentests before proceeding with AD Tripwire setup, specifically running the PowerShell command to configure accounts. If you opt to cancel pentests, you can start new pentests after AD Tripwire accounts are configured properly.
Initial Setup
1. Configure Active Directory Accounts
- Specify the Active Directory domain to configure for tripwires
- Select AD tripwire account types
- Specify user names for each selected AD tripwire account type
- Specify a user name for a new service account that will be used by the
AD Agent
to audit tripwire events
2. Create Domain Policy
The domain policy enables additional security event logging required for AD Tripwires detection across all domain controllers. Some events are enabled by default in Windows, while others are specifically enabled by the IoA Domain Policy.
Event Coverage:
- Events enabled by default in Windows:
- 1100: Event Log service has shut down
Detects attempts to disable or tamper with event logging. - 1101: Audit events dropped by transport
Indicates possible loss of audit data due to system or network issues. - 1102: Audit log cleared
Alerts when the security log is cleared, which may indicate attacker log cleanup. - 1104: Security log full
Warns when the security log is full and may stop recording new events.
- 1100: Event Log service has shut down
- Events enabled by the IoA Domain Policy:
- 4625: Failed logon attempt (Kerberos or NTLM)
Detects failed login attempts to tripwire accounts, such as password spraying or brute force attacks. - 4768: Kerberos authentication ticket (TGT) was requested
Detects AS-REP roasting attempts against tripwire accounts with pre-authentication disabled. - 4769: Kerberos service ticket (TGS) was requested
Detects Kerberoasting attempts by monitoring TGS requests for tripwire service accounts. - 4771: Kerberos pre-authentication failed
Identifies failed Kerberos authentication attempts, including brute force or password guessing against tripwire accounts. - 4776: NTLM authentication failed (NTLM credential validation failure)
Detects failed NTLM authentication attempts to tripwire accounts, such as brute force or password guessing using NTLM.
- 4625: Failed logon attempt (Kerberos or NTLM)
Requirements:
- Domain policy template ZIP file (downloaded from portal)
- Domain Admin privileges
- Windows Server or workstation with Group Policy Management Console (GPMC) installed
Quick Setup Overview:
- Download the domain policy template ZIP file from the portal
- Create and configure a new Group Policy Object (GPO)
- Import the provided policy template
- Link the GPO to the Domain Controllers OU
Detailed Instructions: For complete step-by-step guidance with screenshots, see the Configuring Domain Policy guide
3. Deploy Tripwires and AD Agent
- Specify the hostname of the domain controller the
AD Agent
will access to audit tripwire events - Specify how frequently the
AD Agent
will audit tripwire event logs - Specify which runner should be used to install the
AD Agent
- If no eligible runners are available, visit the Runners page to update your desired runner
Provision AD Accounts & Event Logging
Error shown when no eligible NodeZero runner is available for agent deployment.
Permission Requirements
The setup process requires specific permissions to provision the AD Tripwires infrastructure. The executing account must have:
Active Directory Permissions:
- User Account Management: Create, delete, and modify user accounts
- Service Principal Name (SPN) Management: Set SPNs on user accounts for Kerberoastable tripwires
- User Attribute Modification: Modify user properties including:
- Account descriptions (for exposed credential tripwires)
- Pre-authentication settings (for AS-REP Roastable tripwires)
- Account control flags
SYSVOL Permissions:
- Directory Creation: Create the EventAnalytics directory in
SYSVOL
- Permission Management: Set appropriate permissions on the created directory
- Full Control: Complete access to modify SYSVOL directory structure
Implementation Options:
- Domain Admin Account (Recommended): Includes all necessary permissions
- Custom Permissions:
- Add account to "Account Operators" group
- Grant "Full Control" on SYSVOL share
- Assign "Write All Properties" permission on User objects in AD
Setup Requirements
- Requirements:
- Windows server or workstation joined to the target domain
- Account with Domain Admin privileges or specific permissions listed above
- Generate command to run the provisioning process, which will:
- Configure tripwire event processing
- Provision a service account to enable H3 to access tripwire event data
- Provision all tripwire accounts
- Open PowerShell as Administrator
- Paste and run the command in the Administrator PowerShell session
- Confirm all tasks were completed successfully via Portal
Domain Mismatch
In a multi-domain environment, you must ensure that the provided command is executed on a machine joined to the target domain.
Verify AD Agent Installation
AD Agent
installation will be automatically triggered after AD accounts are successfully provisioned and the provisioning process reports back to Portal.- The
AD Agent
should become active within 5-10 minutes
AD Domain Management
The AD Domain Management section in the NodeZero portal allows you to view, add, and manage Active Directory domains configured for tripwire monitoring. This is where you can review the status of each domain, check agent connectivity, and initiate management actions.
The AD Domain Management page when no domains have been added.
Adding a New AD Domain
When no domains have been added yet, you'll see an empty state card introducing the feature and a call to action:
The empty state for AD Domain Management, with a "Get Set Up" button.
To add a new Active Directory domain for tripwire monitoring:
- Click the Get Set Up or Add Domain button.
- In the modal that appears, enter the required details:
- Domain Name
- Domain Controller Hostname
- Service Account Information
- Review the information and follow the prompts to complete the setup.
The Add Domain modal, where you provide domain and account details.
Once the domain is added, it will appear in the list of configured domains for monitoring and management.
Viewing and Managing Existing Domains
Once domains are added, you will see a list of all configured AD domains, along with their status and key details:
- Domain Name
- Agent Status (Active/Inactive)
- Last Communication
- Actions (View, Edit, Remove)
During setup, a domain will show a status of "Pending"
A fully configured domain will have a status of "Active"
Domain Details
Clicking on a domain name brings up detailed information, including:
- Domain configuration summary
- Linked tripwire accounts
- Agent installation and status
- Troubleshooting and management actions
Adding Additional Domains
The "Protect Another Domain" button allows you to add and configure additional Active Directory domains for tripwire monitoring after the initial setup is complete.