Skip to main content

Active Directory Auditing tool

Project description

About BTA

BTA is an open-source Active Directory security audit framework. Its goal is to help auditors harvest the information they need to answer such questions as:

  • Who has rights over a given object (computer, user account, etc.) ?

  • Who can read a given mailbox ?

  • Which are the accounts with domain admin rights ?

  • Who has extended rights (userForceChangePassword, SendAs, etc.) ?

  • What are the changes done on an AD between two points in time ?

The framework is made of

  • an importer able to translate a ntds.dit file, containing all the AD data, into a database

  • tools to query the database

    • AD miner framework

    • AD diff utility

    • small utilities (list of databases, etc.)

The comprehensive set of attributes are imported and can be querried including all schema extensions (Exchange, Sharepoint, etc.).

Each question can be crystallized by an AD expert as a miner, so that it can be used during all audits without doing the hard work again.

Installing BTA

Quick install

Dependencies:

Installation:

  • pip install bta

From sources

Dependencies:

Installation:

  • python setup.py install

Active Directory Security Analysis

Goal:

  • Clean an AD or an AD forest, looking for

    • bad practices

    • forgotten entries

    • backdoors

    • recompromissions

  • BTA is an operationnal tool, ought to be

    • deterministic, reliable

    • running a well established procedure

Protocol

Audit steps:

  1. Extract the ntds.dit file

  2. Import the ntds.dit file in a database

  3. Look for control points in the database

Extraction

Here is a way to backup NTDS.dit file for a domain controller which is running on Windows 2008. See [2] for more information or for Windows 2003 method.

ntdsutil
activate instance ntds
ifm
create full c:{\bs}NTDS_saved
quit
quit

Importing

  • ntds.dit is unusable as-is.

  • one ntds.dit is imported into one MongoDB database

  • ability to import several ntds.dit in parallel

Examples:

ntds2db -C ::mydb /path/to/ntds.dit
ntds2db /path/to/*.dit  --multi             \
  --C-from-filename                         \
     "::%s" "basename rmext 'DB' swap plus"

Analysing

  • Querying the database

    • analysing control points of a database: btaminer

    • analysing differences between 2 bases: btadiff

Analysing control points

  • miners crystallize expertise

    • list of admin accounts

    • list of accounts with extended rights

    • list of accounts with password errors

    • list of various timelines

btaminer -t ReST -C ::AD1 Schema --timelineCS created

Analysis by miner [Schema]
==========================

+---------------+-----------------------+
| Date          | Affected class schema |
+===============+=======================+
| 2009-02-11 18 | 234                   |
| 2011-12-20 00 | 267                   |
| 2011-12-22 14 | 3                     |
| 2011-12-23 18 | 46                    |
+---------------+-----------------------+

Analysing differences

  • diff

    • diff (naive for the moment) between 2 imports at different points in time

    • noise filtering

$ btadiff --CA ::ADclean --CB ::ADbackdoor --ignore-defaults
===============
Starting diffing sd_table
---------------
AB,101: [] *sd_refcount['14'=>'15']
AB,108: [] *sd_refcount['39'=>'41']
A ,229: []
A ,372: []
AB,423: [] *sd_refcount['3'=>'2']
 B,424: []
 B,425: []
 B,428: []
---------------
Table [sd_table]: 160 records checked, 2 disappeared, 3 appeared, 3 changed
===============
[...]
===============
Starting diffing datatable
---------------
AB,3586: [DC001] *logonCount['116'=>'117'], *lastLogon['130052518207794051L'=>'130052535716737649L']
AB,3639: [RID Set] *rIDNextRID['1153'=>'1154']
AB,8784: [A:[gc]/B:[gc  DEL:346bf199-8567-4375-ac15-79ec4b42b270]] +isDeleted,
         *name["u'gc'"=>"u'gc\\nDEL:346bf199-8"], *dc["u'gc'"=>"u'gc\\nDEL:346bf199-8"]
AB,8785: [A:[DomainDnsZones]/B:[DomainDnsZones  DEL:58b2962b-708c-4c93-99ff-0b7e163131f9]]
         +isDeleted, *name["u'DomainDnsZones'"=>"u'DomainDnsZones\\nDE"],
         *dc["u'DomainDnsZones'"=>"u'DomainDnsZones\\nDE"]
AB,8786: [A:[ForestDnsZones]/B:[ForestDnsZones  DEL:87f7d8a2-4d05-48d0-8283-9ab084584470]]
         +isDeleted, *name["u'ForestDnsZones'"=>"u'ForestDnsZones\\nDE"],
         *dc["u'ForestDnsZones'"=>"u'ForestDnsZones\\nDE"]
 B,8789: [snorky insomnihack]
 B,8790: [gc]
 B,8791: [DomainDnsZones]
 B,8792: [ForestDnsZones]
---------------
Table [datatable]: 7636 records checked, 0 disappeared, 4 appeared, 5 changed
===============

Other features

  • can give reports in different formats:

    • live dump

    • ReST document

    • zipped tree of CSV files

  • audit log of writings in a database

  • table consistency checks before mining

Authors

  • Airbus Group CERT

  • Airbus Group Innovations

  • Airbus DS CyberSecurity

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

bta-0.6.tar.gz (66.6 kB view details)

Uploaded Source

Built Distribution

bta-0.6.linux-x86_64.tar.gz (158.6 kB view details)

Uploaded Source

File details

Details for the file bta-0.6.tar.gz.

File metadata

  • Download URL: bta-0.6.tar.gz
  • Upload date:
  • Size: 66.6 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No

File hashes

Hashes for bta-0.6.tar.gz
Algorithm Hash digest
SHA256 01e8c2b68f8d0a574785130ab207b77b698c1b6990a40d8434ffd4b355c13bd6
MD5 34a1820e306df2373dde1a33d5568b90
BLAKE2b-256 e9517a7f94568db26efc495d710827b28cfe3fc41a4688162ee94f4bae0fe3de

See more details on using hashes here.

File details

Details for the file bta-0.6.linux-x86_64.tar.gz.

File metadata

File hashes

Hashes for bta-0.6.linux-x86_64.tar.gz
Algorithm Hash digest
SHA256 f3b6d6696f6c3cad2ff64009c1cd45d66c228a61abb8d8ec3757d8f13316a0ad
MD5 7f02a7288e1a6365e1854cbfd33b6a09
BLAKE2b-256 1bb36cb645b02bbb1afaab53ce56666b2dbcedc8fb0e15ed817e018c92a4210b

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page