One Active Directory Account Can Be Your Best Early Warning

Source: Black Hills Information Security Author: BHIS URL: https://www.blackhillsinfosec.com/one-active-directory-account-can-be-your-best-early-warning/

ONE SENTENCE SUMMARY:

Jordan discusses Active Directory detection techniques that can catch common adversarial activities early through specific account monitoring.

MAIN POINTS:

  1. One AD account can provide three early detection methods for adversarial activities.
  2. Active Directory enumeration can be achieved using ADExplorer, BloodHound, and LDP.exe.
  3. Kerberoasting and service principal attacks are common threats to monitor.
  4. Password spraying and credential stuffing are prevalent attack methods.
  5. A lab environment can be deployed on Microsoft Azure for practical exercises.
  6. PowerShell commands can create user accounts and set audit rules in AD.
  7. Event IDs 4624, 4625, and 4662 are crucial for monitoring account activities.
  8. KQL queries help in detecting specific events related to user account access.
  9. Creating alerts in Microsoft Sentinel can enhance security monitoring.
  10. A methodology for detection engineering includes creating decoy accounts and setting audit rules.

TAKEAWAYS:

  1. Implement early detection methods for adversarial activities in Active Directory.
  2. Utilize PowerShell and KQL queries for effective monitoring and alerting.
  3. Regularly audit and analyze event logs for signs of compromise.
  4. Engage in hands-on lab exercises to understand AD security better.
  5. Stay updated with common attack techniques to enhance security measures.