Identifying Active Directory Attacks
Hacking Active Directory is most often associated with the process of elevating domain user access to domain admin access. Monitoring domain controller events can help identify when this process has started.
The first phase of any attack is reconnaissance. The attacker must learn about the environment to identify high-value targets. For Active Directory, this starts with LDAP queries.
StealthINTERCEPT has built-in policies for monitoring LDAP queries to determine if an attacker has started to map out members of privileged accounts—or even service accounts based on SPNs. Identifying where the queries originate, and what account is making these queries, is the first step in detecting potential threats against Active Directory.
Once the attacker has identified a potential target, an authentication attack may be used to try and obtain access to the target account. StealthINTERCEPT has built-in analytics that monitor for authentication-based attacks suck as Golden Tickets and Brute Force attacks, as well authentication conditions such as concurrent logins and impersonations.
It’s important to identify accounts that are getting locked out or have unusual activity.
- What computer is generating this suspicious activity?
- What account is under attack?
- When did the attack happen?
Answering these questions helps identify the compromised machine and accounts that are trying to gain access or escalate privileges.
StealthINTERCEPT for Active Directory Attacks
StealthINTERCEPT: Real-time Change & Access Monitoring for Identifying Threats
StealthINTERCEPT is an agent-based solution that sends activity alerts in real-time to Security Information and Event Management (SIEM) solutions and security administrators to alert on various threat types. It does not utilize native logging on domain controllers to identify these threats, so attackers cannot cover their tracks.
By monitoring for the beginning stages of Active Directory attacks, the potential threats can be eliminated before they gain access to other resources secured by Active Directory.
To learn more about how StealthINTERCEPT protects against Active Directory Attacks, please click here.
Don’t miss a post! Subscribe to The Insider Threat Security Blog here:
Spencer Stewart is a Senior Presales Engineer at STEALTHbits Technologies with over 17 years of professional IT experience and nine years in the regulated insurance and banking industries. Stewart is a highly certified Microsoft expert with a proven track record of driving results for clients of all sizes. He specializes in Microsoft Exchange/Active Directory architecture design, migration, and assessment.
Related Posts
- PROTIP – How to Purge Data in StealthAUDIT
- PROTIP – Fulfill a DSAR with StealthAUDIT 11.0
- Best Practices – Setting up StealthAUDIT SQL Server Database
- ProTip: How to Setup User Activity & Server Logon Scan in StealthAUDIT for Oracle
- Pro Tip – StealthINTERCEPT DB Maintenance Best Practices
- PROTIP: Policy Registration & Managing StealthINTERCEPT via PowerShell and Editing StealthDEFEND Investigations & Categorizing Playbooks
- PROTIP: How to Update the “Have I Been Pwned” (HIBP) Breach Dictionary in StealthINTERCEPT Enterprise Password Enforcer and StealthAUDIT
- Protip: How to Setup User Activity & Database Logon Scans in StealthAUDIT for Oracle
- ProTip – The Power of Character Substitution Checks in StealthINTERCEPT Enterprise Password Enforcer
- Protip: How to Setup User Activity & Server Logon Scan in StealthAUDIT for SQL
Leave a Reply