Home

Awesome

WatchAD

PyPI version ElasticSearch version Logstash version RabbitMQ version DEF CON 27 Blue Team Village

AD Security Intrusion Detection System

English Document | 中文文档

After Collecting event logs and kerberos traffic on all domain controllers, WatchAD can detect a variety of known or unknown threats through features matching, Kerberos protocol analysis, historical behaviors, sensitive operations, honeypot accounts and so on.The WatchAD rules cover the many common AD attacks.

The WatchAD has been running well on the Qihoo 360 intranet for more than six months and has found several threat activities.

In order to support the open-source community and promote the improvement of the project, we decided to open source part of the system that based on the event log detections.

The following are currently supported detections:

[NT] represent "based on Network traffic". Up to now, these part is not in this open-source plan. We will continue to open source based on the feedback.

Our talk "<u>Evaded Microsoft ATA? But You Are Completely Exposed By Event Logs</u>" about detecting AD attacks based on event log is shown at the DEF CON 27 @ Blue Team Village.

Installation

WatchAD is a completely detection system with lots of components. Please refer to the installation tutorial to install. To set up a honeypot account, please refer to the honeypot account tutorial

Architecture

Architecture

This project WatchAD only contains part of the code, which associated with the detection engine. In order to format the display you can put alarm data into your platform, or use the Web platform we developed -- WatchAD-Web, which is a simple platform tailored to WatchAD for some common operations. If you have more needs for interface design or operation experience, please customize the development according to WatchAD's alarm data.

Custom detection module

WatchAD supports the development of custom detection modules, please refer to our development tutorial

If you don't need some module,You can delete the module's .py file directly and restart the detection engine.

Do not delete files in the "record" directory, which is not involved in threat detections and just record for key activities of entities.

// TODO

If you find other attack methods that can be added to WatchAD detection, please submit a issue to let us know, or submit a PR to become a contributor to this project.

If you find that a detection module has many false positives (more than 10 per day), please submit a issue to tell us or submit a PR after fixing.

Follow me

Github: @9ian1i Twitter: @9ian1i

Reference