Source: Black Hills Information Security Author: BHIS URL: https://www.blackhillsinfosec.com/one-active-directory-account-can-be-your-best-early-warning/
-
ONE SENTENCE SUMMARY: Jordan discusses Active Directory detection techniques that can catch common adversarial activities early through specific account monitoring.
-
MAIN POINTS:
-
One AD account can provide three early detection methods for adversarial activities.
-
Active Directory enumeration can be achieved using ADExplorer, BloodHound, and LDP.exe.
-
Kerberoasting and service principal attacks are common threats to monitor.
-
Password spraying and credential stuffing are prevalent attack methods.
-
A lab environment can be deployed on Microsoft Azure for practical exercises.
-
PowerShell commands can create user accounts and set audit rules in AD.
-
Event IDs 4624, 4625, and 4662 are crucial for monitoring account activities.
-
KQL queries help in detecting specific events related to user account access.
-
Creating alerts in Microsoft Sentinel can enhance security monitoring.
-
A methodology for detection engineering includes creating decoy accounts and setting audit rules.
-
TAKEAWAYS:
-
Implement early detection methods for adversarial activities in Active Directory.
-
Utilize PowerShell and KQL queries for effective monitoring and alerting.
-
Regularly audit and analyze event logs for signs of compromise.
-
Engage in hands-on lab exercises to understand AD security better.
-
Stay updated with common attack techniques to enhance security measures.