Active Directory

A database and set of services that allows administrators to manage permissions, access to network resources, and stored data objects (user, group, application, or devices)[1]

ID: DS0026
Platforms: Azure AD, Windows
Collection Layers: Cloud Control Plane, Host
Contributors: Center for Threat-Informed Defense (CTID)
Version: 1.0
Created: 20 October 2021
Last Modified: 30 March 2022

Data Components

Active Directory: Active Directory Credential Request

A user requested active directory credentials, such as a ticket or token (ex: Windows EID 4769)

Active Directory: Active Directory Credential Request

A user requested active directory credentials, such as a ticket or token (ex: Windows EID 4769)

Domain ID Name Detects
Enterprise T1649 Steal or Forge Authentication Certificates

Monitor AD CS certificate requests (ex: EID 4886) as well as issued certificates (ex: EID 4887) for abnormal activity, including unexpected certificate enrollments and signs of abuse within certificate attributes (such as abusable EKUs).[2]

Enterprise T1558 Steal or Forge Kerberos Tickets

Monitor for anomalous Kerberos activity, such as malformed or blank fields in Windows logon/logoff events (Event ID 4624, 4672, 4634), RC4 encryption within ticket granting tickets (TGTs), and ticket granting service (TGS) requests without preceding TGT requests.[3][4][5]Monitor the lifetime of TGT tickets for values that differ from the default domain duration.[6] Monitor for indications of Pass the Ticket being used to move laterally.

.001 Golden Ticket

Monitor for anomalous Kerberos activity, such as malformed or blank fields in Windows logon/logoff events (Event ID 4769, 4768), RC4 encryption within TGTs, and TGS requests without preceding TGT requests. Monitor the lifetime of TGT tickets for values that differ from the default domain duration. Monitor for indications of Pass the Ticket being used to move laterally.

.003 Kerberoasting

Monitor for anomalous Kerberos activity, such as enabling Audit Kerberos Service Ticket Operations to log Kerberos TGS service ticket requests. Particularly investigate irregular patterns of activity (ex: accounts making numerous requests, Event ID 4769, within a small time frame, especially if they also request RC4 encryption [Type 0x17]).

.004 AS-REP Roasting

Monitor for anomalous activity, such as enabling Audit Kerberos Service Ticket Operations to log Kerberos TGS service ticket requests. Particularly investigate irregular patterns of activity (ex: accounts making numerous requests, Event ID 4768 and 4769, within a small time frame, especially if they also request RC4 encryption [Type 0x17], pre-authentication not required [Type: 0x0]).

Enterprise T1550 Use Alternate Authentication Material

Monitor requests of new ticket granting ticket or service tickets to a Domain Controller, such as Windows EID 4769 or 4768, that may use alternate authentication material, such as password hashes, Kerberos tickets, and application access tokens, in order to move laterally within an environment and bypass normal system access controls.

.002 Pass the Hash

Monitor requests of new ticket granting ticket or service tickets to a Domain Controller. Windows Security events such as 4768 (A Kerberos authentication ticket (TGT) was requested) and 4769 (A Kerberos service ticket was requested) combined with logon session creation information may be indicative of an overpass the hash attempt.

.003 Pass the Ticket

Monitor requests of new ticket granting ticket or service tickets to a Domain Controller. Event ID 4769 is generated on the Domain Controller when using a golden ticket after the KRBTGT password has been reset twice, as mentioned in the mitigation section. The status code 0x1F indicates the action has failed due to "Integrity check on decrypted field failed" and indicates misuse by a previously invalidated golden ticket.[5]

Active Directory: Active Directory Object Access

Opening of an active directory object, typically to collect/read its value (ex: Windows EID 4661)

Active Directory: Active Directory Object Access

Opening of an active directory object, typically to collect/read its value (ex: Windows EID 4661)

Domain ID Name Detects
Enterprise T1615 Group Policy Discovery

Monitor for abnormal LDAP queries with filters for groupPolicyContainer and high volumes of LDAP traffic to domain controllers. Windows Event ID 4661 can also be used to detect when a directory service has been accessed.

Enterprise T1003 OS Credential Dumping

Monitor domain controller logs for replication requests and other unscheduled activity possibly associated with DCSync. [7] [8] [9] Note: Domain controllers may not log replication requests originating from the default domain controller account. [10]. Monitor for replication requests [11] from IPs not associated with known domain controllers. [12]

.006 DCSync

Monitor domain controller logs for replication requests and other unscheduled activity possibly associated with DCSync.[7] [8] [9] Note: Domain controllers may not log replication requests originating from the default domain controller account.[10]

Enterprise T1033 System Owner/User Discovery

Monitor domain controller logs for replication requests and other unscheduled activity possibly associated with DCSync. [7] [8] [9] Note: Domain controllers may not log replication requests originating from the default domain controller account. [10]. Monitor for replication requests [11] from IPs not associated with known domain controllers. [12]

Active Directory: Active Directory Object Creation

Initial construction of a new active directory object (ex: Windows EID 5137)

Active Directory: Active Directory Object Creation

Initial construction of a new active directory object (ex: Windows EID 5137)

Domain ID Name Detects
Enterprise T1098 .005 Account Manipulation: Device Registration

Monitor for the registration or joining of new device objects in Active Directory. Raise alerts when new devices are registered or joined without using MFA.[13]

Enterprise T1484 Domain Policy Modification

Monitor for newly constructed active directory objects, such as Windows EID 5137.

.001 Group Policy Modification

Monitor for newly constructed active directory objects, such as Windows EID 5137.

.002 Domain Trust Modification

Monitor for newly constructed active directory objects, such as Windows EID 5137.

Enterprise T1207 Rogue Domain Controller

Baseline and periodically analyze the Configuration partition of the AD schema and alert on creation of nTDSDSA objects.[14]

Active Directory: Active Directory Object Deletion

Removal of an active directory object (ex: Windows EID 5141)

Active Directory: Active Directory Object Deletion

Removal of an active directory object (ex: Windows EID 5141)

Domain ID Name Detects
Enterprise T1484 Domain Policy Modification

Monitor for unexpected deletion of an active directory object, such as Windows EID 5141.

.001 Group Policy Modification

Monitor for unexpected deletion of an active directory object, such as Windows EID 5141.

Active Directory: Active Directory Object Modification

Changes made to an active directory object (ex: Windows EID 5163 or 5136)

Active Directory: Active Directory Object Modification

Changes made to an active directory object (ex: Windows EID 5163 or 5136)

Domain ID Name Detects
Enterprise T1134 Access Token Manipulation

Monitor for changes made to AD settings that may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls.

.005 SID-History Injection

Monitor for changes to account management events on Domain Controllers for successful and failed changes to SID-History. [15] [16]

Enterprise T1531 Account Access Removal

Monitor for changes made to AD settings for unexpected modifications to user accounts, such as deletions or potentially malicious changes to user attributes (credentials, status, etc.).

Enterprise T1098 Account Manipulation

Monitor for the registration or joining of new device objects in Active Directory. Raise alerts when new devices are registered or joined without using MFA.[13]

Enterprise T1037 Boot or Logon Initialization Scripts

Monitor for changes made in the Active Directory that may use scripts automatically executed at boot or logon initialization to establish persistence.

.003 Network Logon Script

Monitor for changes made in the Active Directory that may use network logon scripts automatically executed at logon initialization to establish persistence.

Enterprise T1484 Domain Policy Modification

Monitor for changes made to AD settings for unexpected modifications to user accounts, such as deletions or potentially malicious changes to user attributes (credentials, status, etc.).

.001 Group Policy Modification

Monitor for changes made to AD settings for unexpected modifications to user accounts, such as deletions or potentially malicious changes to user attributes (credentials, status, etc.).

.002 Domain Trust Modification

Monitor for changes made to AD settings for unexpected modifications to domain trust settings, such as when a user or application modifies the federation settings on the domain.

Enterprise T1222 File and Directory Permissions Modification

Monitor for changes made to ACLs and file/directory ownership. Many of the commands used to modify ACLs and file/directory ownership are built-in system utilities and may generate a high false positive alert rate, so compare against baseline knowledge for how systems are typically used and correlate modification events with other indications of malicious activity where possible.

.001 Windows File and Directory Permissions Modification

Monitor for changes made to DACLs and file/directory ownership. Many of the commands used to modify DACLs and file/directory ownership are built-in system utilities and may generate a high false positive alert rate, so compare against baseline knowledge for how systems are typically used and correlate modification events with other indications of malicious activity where possible.

Enterprise T1556 Modify Authentication Process

Monitor for changes made to AD security settings related to MFA logon requirements, such as changes to Azure AD Conditional Access Policies or the registration of new MFA applications.

.005 Reversible Encryption

Monitor property changes in Group Policy: Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy\Store passwords using reversible encryption. By default, the property should be set to Disabled.

.006 Multi-Factor Authentication

Monitor for changes made to AD security settings related to MFA logon requirements, such as changes to Azure AD Conditional Access Policies or the registration of new MFA applications.

Enterprise T1207 Rogue Domain Controller

Leverage AD directory synchronization (DirSync) to monitor changes to directory state using AD replication cookies.[17] [18] Also consider monitoring and alerting on the replication of AD objects (Audit Detailed Directory Service Replication Events 4928 and 4929). [14]

Enterprise T1649 Steal or Forge Authentication Certificates

Monitor for changes to CA attributes and settings, such as AD CS certificate template modifications (ex: EID 4899/4900 once a potentially malicious certificate is enrolled).[2]

References