Detecting Abuse of Domain Administrator Privilege Using Windows Event Log

摘要

In an Advanced persistent threat(APT) attack, attackers that infiltrate into an organization network tend to stay inside the network until they are able to accomplish their final goal that may include exploiting sensitive information. When Active Directory is in place, attackers try to obtain a Domain Administrator account which has a privilege to control all users and files in the AD environment. There are several methods for attackers to abuse a legitimate Domain Administrator account. One is to exploit vulnerabilities on Active Directory such as CVE-2014-0317. The other is to steal credentials with password dump tools such as mimikatz. Moreover, attackers are likely to create a backdoor that disguises itself as a legitimate Domain Administrator account called a “Golden Ticket”, in order to obtain long-term administrative privilege. If an attacker abuses a legitimate Domain Administrator account, it is not easy to differentiate a legitimate access and an malicious access. In order to overcome this difficulty, several methods have already been proposed for detecting attacks against AD by analyzing Windows event logs. Each detection method is useful under specific conditions, however none of them cover the entire scope of multiple attacking methods. In this research, we clarify and evaluate the effectiveness of existing methods using a dataset, and propose a new detection algorithm with improved detection rate.