Analytics Story: Active Directory Discovery

Date: 2021-08-20 ID: 8460679c-2b21-463e-b381-b813417c32f2 Author: Mauricio Velazco, Splunk Product: Splunk Enterprise Security

Description

Monitor for activities and techniques associated with Discovery and Reconnaissance within with Active Directory environments.

Why it matters

Discovery consists of techniques an adversay uses to gain knowledge about an internal environment or network. These techniques provide adversaries with situational awareness and allows them to have the necessary information before deciding how to act or who/what to target next. Once an attacker obtains an initial foothold in an Active Directory environment, she is forced to engage in Discovery techniques in the initial phases of a breach to better understand and navigate the target network. Some examples include but are not limited to enumerating domain users, domain admins, computers, domain controllers, network shares, group policy objects, domain trusts, etc.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
AdsiSearcher Account Discovery Domain Account, Account Discovery TTP
Domain Account Discovery with Dsquery Domain Account, Account Discovery Hunting
Domain Account Discovery With Net App Domain Account, Account Discovery TTP
Domain Account Discovery with Wmic Domain Account, Account Discovery TTP
Domain Controller Discovery with Nltest Remote System Discovery TTP
Domain Controller Discovery with Wmic Remote System Discovery Hunting
Domain Group Discovery with Adsisearcher Permission Groups Discovery, Domain Groups TTP
Domain Group Discovery With Dsquery Permission Groups Discovery, Domain Groups Hunting
Domain Group Discovery With Net Permission Groups Discovery, Domain Groups Hunting
Domain Group Discovery With Wmic Permission Groups Discovery, Domain Groups Hunting
DSQuery Domain Discovery Domain Trust Discovery TTP
Elevated Group Discovery With Net Permission Groups Discovery, Domain Groups TTP
Elevated Group Discovery with PowerView Permission Groups Discovery, Domain Groups Hunting
Elevated Group Discovery With Wmic Permission Groups Discovery, Domain Groups TTP
Get ADDefaultDomainPasswordPolicy with Powershell Password Policy Discovery Hunting
Get ADDefaultDomainPasswordPolicy with Powershell Script Block Password Policy Discovery Hunting
Get ADUser with PowerShell Domain Account, Account Discovery Hunting
Get ADUser with PowerShell Script Block Domain Account, Account Discovery Hunting
Get ADUserResultantPasswordPolicy with Powershell Password Policy Discovery TTP
Get ADUserResultantPasswordPolicy with Powershell Script Block Password Policy Discovery TTP
Get DomainPolicy with Powershell Password Policy Discovery TTP
Get DomainPolicy with Powershell Script Block Password Policy Discovery TTP
Get-DomainTrust with PowerShell Domain Trust Discovery TTP
Get-DomainTrust with PowerShell Script Block Domain Trust Discovery TTP
Get DomainUser with PowerShell Domain Account, Account Discovery TTP
Get DomainUser with PowerShell Script Block Domain Account, Account Discovery TTP
Get-ForestTrust with PowerShell Domain Trust Discovery TTP
Get-ForestTrust with PowerShell Script Block Domain Trust Discovery, PowerShell TTP
Get WMIObject Group Discovery Permission Groups Discovery, Local Groups Hunting
Get WMIObject Group Discovery with Script Block Logging Permission Groups Discovery, Local Groups Hunting
GetAdComputer with PowerShell Remote System Discovery Hunting
GetAdComputer with PowerShell Script Block Remote System Discovery Hunting
GetAdGroup with PowerShell Permission Groups Discovery, Domain Groups Hunting
GetAdGroup with PowerShell Script Block Permission Groups Discovery, Domain Groups Hunting
GetCurrent User with PowerShell System Owner/User Discovery Hunting
GetCurrent User with PowerShell Script Block System Owner/User Discovery Hunting
GetDomainComputer with PowerShell Remote System Discovery TTP
GetDomainComputer with PowerShell Script Block Remote System Discovery TTP
GetDomainController with PowerShell Remote System Discovery Hunting
GetDomainController with PowerShell Script Block Remote System Discovery TTP
GetDomainGroup with PowerShell Permission Groups Discovery, Domain Groups TTP
GetDomainGroup with PowerShell Script Block Permission Groups Discovery, Domain Groups TTP
GetLocalUser with PowerShell Account Discovery, Local Account Hunting
GetLocalUser with PowerShell Script Block Account Discovery, Local Account, PowerShell Hunting
GetNetTcpconnection with PowerShell System Network Connections Discovery Hunting
GetNetTcpconnection with PowerShell Script Block System Network Connections Discovery Hunting
GetWmiObject Ds Computer with PowerShell Remote System Discovery TTP
GetWmiObject Ds Computer with PowerShell Script Block Remote System Discovery TTP
GetWmiObject Ds Group with PowerShell Permission Groups Discovery, Domain Groups TTP
GetWmiObject Ds Group with PowerShell Script Block Permission Groups Discovery, Domain Groups TTP
GetWmiObject DS User with PowerShell Domain Account, Account Discovery TTP
GetWmiObject DS User with PowerShell Script Block Domain Account, Account Discovery TTP
GetWmiObject User Account with PowerShell Account Discovery, Local Account Hunting
GetWmiObject User Account with PowerShell Script Block Account Discovery, Local Account, PowerShell Hunting
Local Account Discovery with Net Account Discovery, Local Account Hunting
Local Account Discovery With Wmic Account Discovery, Local Account Hunting
Net Localgroup Discovery Permission Groups Discovery, Local Groups Hunting
Network Connection Discovery With Arp System Network Connections Discovery Hunting
Network Connection Discovery With Net System Network Connections Discovery Hunting
Network Connection Discovery With Netstat System Network Connections Discovery Hunting
Network Discovery Using Route Windows App System Network Configuration Discovery, Internet Connection Discovery Hunting
NLTest Domain Trust Discovery Domain Trust Discovery TTP
Password Policy Discovery with Net Password Policy Discovery Hunting
PowerShell Get LocalGroup Discovery Permission Groups Discovery, Local Groups Hunting
Powershell Get LocalGroup Discovery with Script Block Logging Permission Groups Discovery, Local Groups Hunting
Remote System Discovery with Adsisearcher Remote System Discovery TTP
Remote System Discovery with Dsquery Remote System Discovery Hunting
Remote System Discovery with Net Remote System Discovery Hunting
Remote System Discovery with Wmic Remote System Discovery TTP
ServicePrincipalNames Discovery with PowerShell Kerberoasting TTP
ServicePrincipalNames Discovery with SetSPN Kerberoasting TTP
System User Discovery With Query System Owner/User Discovery Hunting
System User Discovery With Whoami System Owner/User Discovery Hunting
User Discovery With Env Vars PowerShell System Owner/User Discovery Hunting
User Discovery With Env Vars PowerShell Script Block System Owner/User Discovery Hunting
Windows AD Abnormal Object Access Activity Account Discovery, Domain Account Anomaly
Windows AD Privileged Object Access Activity Account Discovery, Domain Account TTP
Windows File Share Discovery With Powerview Network Share Discovery TTP
Windows Find Domain Organizational Units with GetDomainOU Account Discovery, Domain Account TTP
Windows Find Interesting ACL with FindInterestingDomainAcl Account Discovery, Domain Account TTP
Windows Forest Discovery with GetForestDomain Account Discovery, Domain Account TTP
Windows Get Local Admin with FindLocalAdminAccess Account Discovery, Domain Account TTP
Windows Hidden Schedule Task Settings Scheduled Task/Job TTP
Windows Lateral Tool Transfer RemCom Lateral Tool Transfer TTP
Windows Linked Policies In ADSI Discovery Domain Account, Account Discovery Anomaly
Windows Network Share Interaction With Net Network Share Discovery, Data from Network Shared Drive TTP
Windows PowerView AD Access Control List Enumeration Domain Accounts, Permission Groups Discovery TTP
Windows Root Domain linked policies Discovery Domain Account, Account Discovery Anomaly
Windows Service Create RemComSvc Windows Service, Create or Modify System Process Anomaly
Windows Suspect Process With Authentication Traffic Account Discovery, Domain Account, User Execution, Malicious File Anomaly
Wmic Group Discovery Permission Groups Discovery, Local Groups Hunting

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
CrowdStrike ProcessRollup2 N/A crowdstrike:events:sensor crowdstrike
Powershell Script Block Logging 4104 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
Sysmon EventID 1 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 3 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 4662 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 4688 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 4698 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log System 7045 Windows icon Windows xmlwineventlog XmlWinEventLog:System

References

Source: GitHub | Version: 1