Whether in offensive and defensive drills or real intrusion confrontation scenarios, attackers often gain privileged management rights by attacking domain controllers and then horizontally control the corporate intranet, stealing important assets and data. With unique management advantages, AD domains are widely used in large enterprises. Centralized management of IT infrastructure.
However, traditional cybersecurity defenses are often insufficient to defend against the threat of domain penetration attacks on identity credentials. Due to the centralization and privilege management features of AD domain management, how to improve domain security, identify domain attack threats, and ensure office security has become one of the important links that enterprises pay attention to.
Based on more than ten years of actual combat offensive and defensive experience, 360 is guided by offensive and defensive, actual combat, and confrontation, with "see + deal" as the core, and adopts the technical thinking of "centralization, unification, platform, and service" to help enterprises establish defense in depth system to meet security challenges in the digital age.
360 Information Security Center independently developed the domain security intrusion detection system WatchAD, which has been officially open-sourced since 2019, and shared the core technology of the project in Defcon 27 Blue Team Village, becoming a pioneer in the field of domestic domain security detection. Over the past four years, 360 Information Security Center has upgraded WatchAD on the basis of WatchAD2.0 again, aiming to help enterprises establish a domain environment security protection system and further enhance the ability of enterprises to deal with domain penetration threats.
working principle
WatchAD2.0 is divided into four parts: log collection Agent, rule detection and analysis engine, cache database and Web control terminal. It collects event logs and Kerberos traffic generated by the domain control, and uses the stream processing engine to conduct real-time analysis in terms of feature matching, protocol analysis, behavior monitoring, sensitive operations, and honeypot account capture, so as to detect and warn security risks in a timely manner. Currently, WatchAD2.0 threat detection items have covered most of the common intranet domain penetration methods.
WatchAD2.0 can realize the protection of the whole life cycle of AD domain security. In enterprise security operations, WatchAD2.0 conducts content detection from multiple perspectives such as obsolete objects, privileged users, trust relationships, and abnormal objects. Domain controllers are exploited by attackers, resulting in loss of corporate assets.
At the same time, WatchAD2.0 can effectively identify abnormal user behavior and accurately determine attack behavior. For different stages of domain penetration attacks such as domain information collection and detection, domain account privilege escalation, lateral movement, privilege maintenance, and threat proliferation, WatchAD2.0 has opened up corresponding detection methods and rules to support the monitoring of the entire path of domain penetration.
Product advantages
WatchAD1.0 has received attention and praise from many parties since it was open sourced, and has helped many enterprises build their own domain security defense systems. Compared with version 1.0, WatchAD2.0 has been improved in the following aspects:
1. Richer detection capabilities, wide coverage and high accuracy
Combining more than 360 years of offensive and defensive combat experience, WatchAD2.0 adds suspicious account activity monitoring scenarios based on the original capabilities, and strengthens the detection capabilities of privilege escalation, privilege maintenance and other scenarios, covering abnormal accounts/activities, Zerologon privilege escalation, etc. , SPN hijacking, shadow ticket and more detection surfaces.
2. Refactor the analysis engine based on Golang to improve analysis efficiency
The development language of WatchAD is refactored from Python to Golang, and its more efficient concurrency capability is used to improve the efficiency of data processing such as massive logs and traffic, so as to ensure timely and effective alarm detection.
3. Out of the box, the system is stable, easy to use and more efficient
We integrate the Web platform and the detection engine to simplify the deployment process. Users only rely on message queues and storage components to complete the deployment of WatchAD2.0. While improving the performance and stability of the system, it also makes the system more efficient and easy to use, providing users with a better experience.
open source sharing
WatchAD2.0 has been running inside 360 Group for many years. During the internal offensive and defensive drills, various attack methods such as PsloggedOn information leakage, golden notes, Kerberoasting, and NTLM Relay were detected. Now, we open source the WatchAD2.0 event log detection capability again, which is convenient for organizations and individual enthusiasts to research and deploy.
In addition to the open source version, WatchAD2.0 Enterprise Edition integrates traffic detection and bypass detection on the basis of event log detection capabilities, and can analyze domain attack behaviors in full traffic in real time, thereby providing more comprehensive domain security protection capabilities .
360 Local Security Brain products have also fully built-in WatchAD2.0 detection rules and security capabilities. Enterprises can rely on 360 Local Security Brain to build an integrated operation platform that integrates domain security detection and protection capabilities according to their own needs and application scenarios, linking various ecosystems Security products that realize visualization and intelligence of domain threat detection and response.
Source code and tutorial link: https://pan.baidu.com/s/1GLNNsQzoes19lzN7V81cAQ?pwd=9bnv
Extract code: 9bnv
360 Local Security Brain: https://www.360.net/product-center/security-intelligence-brain/index
Information source 360 official
