Skip to content

AD Tripwires - Getting Started

NodeZero Pentest Consideration

Having a NodeZero pentest running while setting up AD Tripwires may cause false positive tripwire triggers. Let ongoing pentests complete or cancel ongoing pentests before proceeding with AD Tripwire setup, specifically running the PowerShell command to configure accounts. If you opt to cancel pentests, you can start new pentests after AD Tripwire accounts are configured properly.

Initial Setup

1. Configure Active Directory Accounts

Setup AD Tripwires modal

  • Specify the Active Directory domain to configure for tripwires
  • Select AD tripwire account types
  • Specify user names for each selected AD tripwire account type
  • Specify a user name for a new service account that will be used by the AD Agent to audit tripwire events

2. Create Domain Policy

Download & Configure Domain Policy

The domain policy enables additional security event logging required for AD Tripwires detection across all domain controllers. Some events are enabled by default in Windows, while others are specifically enabled by the IoA Domain Policy.

Event Coverage:

  • Events enabled by default in Windows:
    • 1100: Event Log service has shut down
      Detects attempts to disable or tamper with event logging.
    • 1101: Audit events dropped by transport
      Indicates possible loss of audit data due to system or network issues.
    • 1102: Audit log cleared
      Alerts when the security log is cleared, which may indicate attacker log cleanup.
    • 1104: Security log full
      Warns when the security log is full and may stop recording new events.
  • Events enabled by the IoA Domain Policy:
    • 4625: Failed logon attempt (Kerberos or NTLM)
      Detects failed login attempts to tripwire accounts, such as password spraying or brute force attacks.
    • 4768: Kerberos authentication ticket (TGT) was requested
      Detects AS-REP roasting attempts against tripwire accounts with pre-authentication disabled.
    • 4769: Kerberos service ticket (TGS) was requested
      Detects Kerberoasting attempts by monitoring TGS requests for tripwire service accounts.
    • 4771: Kerberos pre-authentication failed
      Identifies failed Kerberos authentication attempts, including brute force or password guessing against tripwire accounts.
    • 4776: NTLM authentication failed (NTLM credential validation failure)
      Detects failed NTLM authentication attempts to tripwire accounts, such as brute force or password guessing using NTLM.

Requirements:

  • Domain policy template ZIP file (downloaded from portal)
  • Domain Admin privileges
  • Windows Server or workstation with Group Policy Management Console (GPMC) installed

Quick Setup Overview:

  1. Download the domain policy template ZIP file from the portal
  2. Create and configure a new Group Policy Object (GPO)
  3. Import the provided policy template
  4. Link the GPO to the Domain Controllers OU

Detailed Instructions: For complete step-by-step guidance with screenshots, see the Configuring Domain Policy guide

3. Deploy Tripwires and AD Agent

  • Specify the hostname of the domain controller the AD Agent will access to audit tripwire events
  • Specify how frequently the AD Agent will audit tripwire event logs
  • Specify which runner should be used to install the AD Agent
    • If no eligible runners are available, visit the Runners page to update your desired runner

Provision AD Accounts & Event Logging

Generate AD Install Command

Error shown when no eligible NodeZero runner is available for agent deployment.

Generate Command - No Runner

Permission Requirements

The setup process requires specific permissions to provision the AD Tripwires infrastructure. The executing account must have:

Active Directory Permissions:

  • User Account Management: Create, delete, and modify user accounts
  • Service Principal Name (SPN) Management: Set SPNs on user accounts for Kerberoastable tripwires
  • User Attribute Modification: Modify user properties including:
  • Account descriptions (for exposed credential tripwires)
  • Pre-authentication settings (for AS-REP Roastable tripwires)
  • Account control flags

SYSVOL Permissions:

  • Directory Creation: Create the EventAnalytics directory in SYSVOL
  • Permission Management: Set appropriate permissions on the created directory
  • Full Control: Complete access to modify SYSVOL directory structure

Implementation Options:

  1. Domain Admin Account (Recommended): Includes all necessary permissions
  2. Custom Permissions:
  3. Add account to "Account Operators" group
  4. Grant "Full Control" on SYSVOL share
  5. Assign "Write All Properties" permission on User objects in AD

Setup Requirements

  1. Requirements:
    1. Windows server or workstation joined to the target domain
    2. Account with Domain Admin privileges or specific permissions listed above
  2. Generate command to run the provisioning process, which will:
    1. Configure tripwire event processing
    2. Provision a service account to enable H3 to access tripwire event data
    3. Provision all tripwire accounts
  3. Open PowerShell as Administrator
  4. Paste and run the command in the Administrator PowerShell session
  5. Confirm all tasks were completed successfully via Portal

Domain Mismatch

In a multi-domain environment, you must ensure that the provided command is executed on a machine joined to the target domain.

Domain Setup Error - Domain Mismatch

Verify AD Agent Installation

  1. AD Agent installation will be automatically triggered after AD accounts are successfully provisioned and the provisioning process reports back to Portal.
  2. The AD Agent should become active within 5-10 minutes

AD Domain Management

The AD Domain Management section in the NodeZero portal allows you to view, add, and manage Active Directory domains configured for tripwire monitoring. This is where you can review the status of each domain, check agent connectivity, and initiate management actions.

AD Domain Management - Empty State

The AD Domain Management page when no domains have been added.

Adding a New AD Domain

When no domains have been added yet, you'll see an empty state card introducing the feature and a call to action:

AD Domain Management - Empty State Card

The empty state for AD Domain Management, with a "Get Set Up" button.

To add a new Active Directory domain for tripwire monitoring:

  1. Click the Get Set Up or Add Domain button.
  2. In the modal that appears, enter the required details:
    • Domain Name
    • Domain Controller Hostname
    • Service Account Information
  3. Review the information and follow the prompts to complete the setup.

AD Domain Management - Active State

The Add Domain modal, where you provide domain and account details.

Once the domain is added, it will appear in the list of configured domains for monitoring and management.

Viewing and Managing Existing Domains

Once domains are added, you will see a list of all configured AD domains, along with their status and key details:

  • Domain Name
  • Agent Status (Active/Inactive)
  • Last Communication
  • Actions (View, Edit, Remove)

During setup, a domain will show a status of "Pending"

Domain Management - Pending Domain

A fully configured domain will have a status of "Active"

Domain Management - Active Domain

Domain Details

Clicking on a domain name brings up detailed information, including:

  • Domain configuration summary
  • Linked tripwire accounts
  • Agent installation and status
  • Troubleshooting and management actions

Domain Details - Active

Adding Additional Domains

The "Protect Another Domain" button allows you to add and configure additional Active Directory domains for tripwire monitoring after the initial setup is complete.

Domain Management - Protect Another Domain Button