Active Directory Attack Detections Part 1

Source: Dylan’s Blog

Author: Dylan Davis

URL: https://dylandavis1.github.io/2025-07-04-active-directory-detections-Part-1/

ONE SENTENCE SUMMARY:

This blog details detection techniques for various Active Directory attacks, providing practical rules for identifying malicious behavior using logs.

MAIN POINTS:

1. Password spraying with Kerbrute generates Event ID 4768 logs with suspicious TicketOptions value 0x10.
2. AS-REP Roasting uses GetNPUsers and shows TicketOptions 0x50800000 and PreAuthType 0 in Event ID 4768.
3. Impacket’s getTGT tool creates anomalous TGT requests with 0x50800000 TicketOptions and Encryption Type 0x12.
4. Kerberoasting via GetUserSPNs triggers Event ID 4768 and 4769 logs with RC4 encryption (0x17).
5. Kerberoasting without pre-auth uses non-krbtgt SPNs and PreAuthType 0, mimicking AS-REP roasting logs.
6. Mimikatz DCSync attacks generate four 4662 logs using anomalous GUIDs and user accounts, not DC machine accounts.
7. Netexec DCSync via drsuapi produces three 4662 logs with DS-Replication-Get-Changes-All GUID in the third.
8. Netexec’s ntdsutil method triggers Event ID 4799 and uses suspicious command lines and temporary directories.
9. Netexec’s VSS method generates Event IDs 4904 and 4905 using VSSVC.exe and command-line shadow copy activity.
10. Pass-the-Hash attacks show Event IDs 4624 and 4672 with Logon Type 9 and LogonProcessName “seclogo”.

TAKEAWAYS:

1. Anomalous TicketOptions and Encryption Types in Kerberos logs are strong indicators of credential-based attacks.
2. Detection of DCSync should include GUID analysis and monitoring for non-DC accounts triggering 4662 logs.
3. Netexec’s use of LOLBINs like ntdsutil and VSS can be detected through unique process creation patterns.
4. Pass-the-Hash activity correlates Event IDs 4624 and 4672 using shared Logon IDs and elevated privileges.
5. Effective detection relies on combining Event ID analysis, GUIDs, and process command-line behaviors.