Analytics Story: Active Directory Discovery

Date: 2021-08-20 ID: 8460679c-2b21-463e-b381-b813417c32f2 Author: Mauricio Velazco, Splunk Product: Splunk Enterprise Security

Description

Monitor for activities and techniques associated with Discovery and Reconnaissance within with Active Directory environments.

Why it matters

Discovery consists of techniques an adversay uses to gain knowledge about an internal environment or network. These techniques provide adversaries with situational awareness and allows them to have the necessary information before deciding how to act or who/what to target next. Once an attacker obtains an initial foothold in an Active Directory environment, she is forced to engage in Discovery techniques in the initial phases of a breach to better understand and navigate the target network. Some examples include but are not limited to enumerating domain users, domain admins, computers, domain controllers, network shares, group policy objects, domain trusts, etc.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
AdsiSearcher Account Discovery Domain Account TTP
Domain Account Discovery with Dsquery Domain Account Hunting
Domain Account Discovery with Wmic Domain Account TTP
Domain Controller Discovery with Nltest Remote System Discovery TTP
Domain Controller Discovery with Wmic Remote System Discovery Hunting
Domain Group Discovery with Adsisearcher Domain Groups TTP
Domain Group Discovery With Dsquery Domain Groups Hunting
Domain Group Discovery With Wmic Domain Groups Hunting
DSQuery Domain Discovery Domain Trust Discovery TTP
Elevated Group Discovery with PowerView Domain Groups Hunting
Elevated Group Discovery With Wmic Domain Groups TTP
Get ADDefaultDomainPasswordPolicy with Powershell Password Policy Discovery Hunting
Get ADDefaultDomainPasswordPolicy with Powershell Script Block Password Policy Discovery Hunting
Get ADUser with PowerShell Domain Account Hunting
Get ADUser with PowerShell Script Block Domain Account Hunting
Get ADUserResultantPasswordPolicy with Powershell Password Policy Discovery TTP
Get ADUserResultantPasswordPolicy with Powershell Script Block Password Policy Discovery TTP
Get DomainPolicy with Powershell Password Policy Discovery TTP
Get DomainPolicy with Powershell Script Block Password Policy Discovery TTP
Get-DomainTrust with PowerShell Domain Trust Discovery TTP
Get-DomainTrust with PowerShell Script Block Domain Trust Discovery TTP
Get DomainUser with PowerShell Domain Account TTP
Get DomainUser with PowerShell Script Block Domain Account TTP
Get-ForestTrust with PowerShell Domain Trust Discovery TTP
Get-ForestTrust with PowerShell Script Block Domain Trust Discovery, PowerShell TTP
Get WMIObject Group Discovery Local Groups Hunting
Get WMIObject Group Discovery with Script Block Logging Local Groups Hunting
GetAdComputer with PowerShell Remote System Discovery Hunting
GetAdComputer with PowerShell Script Block Remote System Discovery Hunting
GetAdGroup with PowerShell Domain Groups Hunting
GetAdGroup with PowerShell Script Block Domain Groups Hunting
GetCurrent User with PowerShell System Owner/User Discovery Hunting
GetCurrent User with PowerShell Script Block System Owner/User Discovery Hunting
GetDomainComputer with PowerShell Remote System Discovery TTP
GetDomainComputer with PowerShell Script Block Remote System Discovery TTP
GetDomainController with PowerShell Remote System Discovery Hunting
GetDomainController with PowerShell Script Block Remote System Discovery TTP
GetDomainGroup with PowerShell Domain Groups TTP
GetDomainGroup with PowerShell Script Block Domain Groups TTP
GetLocalUser with PowerShell Local Account Hunting
GetLocalUser with PowerShell Script Block PowerShell, Local Account Hunting
GetNetTcpconnection with PowerShell System Network Connections Discovery Hunting
GetNetTcpconnection with PowerShell Script Block System Network Connections Discovery Hunting
GetWmiObject Ds Computer with PowerShell Remote System Discovery TTP
GetWmiObject Ds Computer with PowerShell Script Block Remote System Discovery TTP
GetWmiObject Ds Group with PowerShell Domain Groups TTP
GetWmiObject Ds Group with PowerShell Script Block Domain Groups TTP
GetWmiObject DS User with PowerShell Domain Account TTP
GetWmiObject DS User with PowerShell Script Block Domain Account TTP
GetWmiObject User Account with PowerShell Local Account Hunting
GetWmiObject User Account with PowerShell Script Block PowerShell, Local Account Hunting
Local Account Discovery With Wmic Local Account Hunting
Network Connection Discovery With Arp System Network Connections Discovery Hunting
Network Connection Discovery With Netstat System Network Connections Discovery Hunting
Network Discovery Using Route Windows App Internet Connection Discovery Hunting
NLTest Domain Trust Discovery Domain Trust Discovery TTP
PowerShell Get LocalGroup Discovery Local Groups Hunting
Powershell Get LocalGroup Discovery with Script Block Logging Local Groups Hunting
Remote System Discovery with Adsisearcher Remote System Discovery TTP
Remote System Discovery with Dsquery Remote System Discovery Hunting
Remote System Discovery with Wmic Remote System Discovery TTP
ServicePrincipalNames Discovery with PowerShell Kerberoasting TTP
ServicePrincipalNames Discovery with SetSPN Kerberoasting TTP
System User Discovery With Query System Owner/User Discovery Hunting
System User Discovery With Whoami System Owner/User Discovery Hunting
User Discovery With Env Vars PowerShell System Owner/User Discovery Hunting
User Discovery With Env Vars PowerShell Script Block System Owner/User Discovery Hunting
Windows AD Abnormal Object Access Activity Domain Account Anomaly
Windows AD Privileged Object Access Activity Domain Account TTP
Windows File Share Discovery With Powerview Network Share Discovery TTP
Windows Find Domain Organizational Units with GetDomainOU Domain Account TTP
Windows Find Interesting ACL with FindInterestingDomainAcl Domain Account TTP
Windows Forest Discovery with GetForestDomain Domain Account TTP
Windows Get Local Admin with FindLocalAdminAccess Domain Account TTP
Windows Group Discovery Via Net Local Groups, Domain Groups Hunting
Windows Hidden Schedule Task Settings Scheduled Task/Job TTP
Windows Linked Policies In ADSI Discovery Domain Account Anomaly
Windows Network Connection Discovery Via Net System Network Connections Discovery Hunting
Windows Network Share Interaction Via Net Network Share Discovery, Data from Network Shared Drive Anomaly
Windows Password Policy Discovery with Net Password Policy Discovery Hunting
Windows PowerView AD Access Control List Enumeration Domain Accounts, Permission Groups Discovery TTP
Windows Root Domain linked policies Discovery Domain Account Anomaly
Windows Sensitive Group Discovery With Net Domain Groups Anomaly
Windows Service Create RemComSvc Windows Service Anomaly
Windows Service Execution RemCom Service Execution TTP
Windows Suspect Process With Authentication Traffic Domain Account, Malicious File Anomaly
Windows System Remote Discovery With Query System Owner/User Discovery Anomaly
Windows User Discovery Via Net Local Account Hunting
Wmic Group Discovery Local Groups Hunting

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
CrowdStrike ProcessRollup2 N/A crowdstrike:events:sensor crowdstrike
Powershell Script Block Logging 4104 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
Sysmon EventID 1 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 3 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 4662 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 4688 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 4698 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log System 7045 Windows icon Windows xmlwineventlog XmlWinEventLog:System

References

Source: GitHub | Version: 1