Incident Reference Number
Report Prepared by Name
E-mail
Designation
Date
Incident Details During internal penetration test, a suspicious ACL entry was found in Active Directory where everyone group was assigned full control on AD root. This could allow any user (non admin) to replicate Active Directory and gain full control. From available logs it is not identified whether this was result of a misconfiguration or a backdoor left by an attacker.
Incident Reported on Incident Resolved on
Incident Reported By
Affected Systems Active Directory (xxx.com)
Current incident status Open Severity High
Members involved in security incident response action Name Email Designation
Important events in chronological order • 11th xxx: Suspicious ACL entry was identified and notified to incident response team for investigation.
• 12th xxx: ACL entry was removed by xxx team and investigation was started.
• 14th xxx: Another suspicious ACL entry was found on an OU containing all user accounts.
• 15th xxx: The second suspicious ACL entry was removed by xxx team.
• 19th xxx: Detailed action plan shared with xxx team to restore trust on active directory.
Investigation results • Active Directory logs were searched to identify the addition of suspicious ACLs however, no trace was found.
• No sign of compromise of AD is identified from last two years of monitoring data available from EDR.
Containment Actions Actions Status
Remove suspicious ACL entries from AD root and Users OU xxx
Root cause of the incident Not possible to identify as the actions are not traceable from available logs.
Impact details • Actual impact is unknown as no adversary activity was identified during last two years of monitoring.
• Potential impact (in past) could be compromise of Active Directory and exfiltration of data.
Recommended Eradication/Corrective Actions Action Status
Audit following ACLs and remove any suspicious/unnecessary entries:
• Domain root
• Admin SD holder
• All main OUs xxx
Audit Security descriptors of Remoting protocols (WMI, PSRemoting, Remote Registry) on DC and exchange to identify and remove any suspicious entries xxx
Audit Security Support Providers (SSP) to identify and remove any suspicious entries:
HKEY_LOCAL_MACHINESystemCurrentControlSetControlLsaSecurity Packages xxx
Audit SID History attribute to identify and remove any suspicious entries xxx
Audit DSRM registry key to identify and remove any suspicious entries:
HKLMSystemCurrentControlSetControlLsaDSRMAdminLogonBehavior xxx
Audit group policies permissions on folder and files xxx
Recovery Action Status
Reset krbtgt password xxx
Reset DSRM password xxx
Reset all admin accounts password xxx
Reset all service accounts password xxx
Reset computer account passwords for all DC and Exchange servers xxx
Reset all user accounts password xxx
Actions recommended to prevent future incidents Action Status
Implement deny logon policy on DCs, member servers and workstations to ensure only required users are allowed to login to these systems by enforcing 3 tier architecture xxx
Clean up and fix nested membership issues xxx
Use Managed Service Accounts xxx
Ensure that all computer account passwords change every 30 – 60 days xxx
Ensure that no computer accounts are members of admin groups xxx
Details of evidence collected • Active directory logs
• EDR alerts
Evidence retention recommendation
Operational, financial, image losses NA
Key lessons learnt/Actions to improve detection Action Status
Create detection rules in SIEM and FIM for monitoring of ACL changes on domain root, Admin SD Holder, and all main OUs xxx