Welcome to Ask A Pentester, where you can get your security questions answered by members of the IT Security community!

Spread the word!

Links

has anyone ever done some sort of "Active Directory" forensics?

+2 votes
Does it make sense to think about Active Directory forensics? For example if i change a password,will there be a timestamp?
asked 1 year ago by silentTom (50 points)

2 Answers

+1 vote

this is a good starting point http://forensicir.blogspot.com/2009/06/active-directory-snapshots.html

if you ever worked with encase:

 

Active Directory Information Extractor: The Active Directory Information Extractor forensically analyzes the Active Directory database (NTDS.DIT) and extracts the username, SID, home directory, email address, last login, last failed login and next password change.

 
answered 1 year ago by mr_insecure (70 points)
0 votes

You could also utilize network signatures in an IDS such as Suricata (I prefer it over Snort and commercial ones).

You would need to build custom signatures. Have a look at this nmap NSE script (and the others it references) -- http://nmap.org/nsedoc/scripts/ldap-rootdse.html

If you could build a signature that captures these sorts of events, you'd be able to tell the src traffic that queries your AD infrastructure.

*** UPDATE ***

Oh crap -- check this out! -- http://ptresearch.blogspot.com/2011/04/backdoor-in-active-directory.html
answered 1 year ago by atdre pro pentester (1,080 points)
edited 1 year ago by atdre

Please log in or register to answer this question.

Powered by Question2Answer
Designed by Axiologic SaaS