Full Report
Here we go again, discussing Active Directory, hacking, and detection engineering. tl;dr: One AD account can provide you with three detections that if implemented properly will catch common adversarial activities […] The post One Active Directory Account Can Be Your Best Early Warning appeared first on Black Hills Information Security, Inc..
Analysis Summary
# Best Practices: Active Directory Security Monitoring and Detection Engineering
## Overview
These practices focus on creating high-fidelity security detections within an Active Directory environment to proactively catch common adversarial tactics, techniques, and procedures (TTPs), specifically focusing on enumeration, Kerberoasting, and brute-force attacks, using decoy accounts and specific event monitoring.
## Key Recommendations
### Immediate Actions
1. **Establish Decoy Accounts:** Create one or more dedicated Active Directory user objects (e.g., a "honey account") specifically intended for monitoring and detection engineering.
2. **Configure UAC Auditing on Decoy:** For the decoy account, enable detailed object access auditing (Event ID 4662) for successful reads of the `UserAccountControl (UAC)` attribute, targeting the `WorldSid` (everyone) to detect enumeration tools like BloodHound or ADExplorer.
3. **Set Up Initial Monitoring Queries:** Configure monitoring for Event ID 4625 (Failed Logon) events specifically targeting the decoy account's username to detect password spraying or credential stuffing attempts.
### Short-term Improvements (1-3 months)
1. **Configure SPN for Decoy:** Assign a Service Principal Name (SPN) to the decoy account to enable detection of Kerberoasting attacks targeting that service account.
2. **Monitor Kerberos Ticket Operations:** Build detection logic (e.g., using KQL) to monitor Event ID 4769 (Kerberos Service Ticket Request) events where the targeted Service Name matches the SPN set on the decoy account.
3. **Validate ObjectGUID Reliance:** Ensure log shipping and analysis tools correctly handle tracking activity via the target object's `ObjectGUID`, as many specific AD access events (like EID 4662) may not directly log the readable username.
### Long-term Strategy (3+ months)
1. **Implement Comprehensive Log Correlation:** Develop an integrated set of queries that correlate:
* UAC attribute reads (EID 4662) on the decoy.
* Kerberos ticket operations (EID 4769) against the decoy's SPN.
* Failed logons (EID 4625) against the decoy account.
2. **Maintain Decoy Integrity:** Regularly review and ensure the decoy account configuration (UAC settings, SPN) remains accurate and configured for success notifications without interfering with normal operations.
3. **Standardize Detection Response:** Establish clear, automated alerting thresholds based on the high-fidelity detections derived from the decoy account activity, ensuring security teams are immediately notified of triggered events.
## Implementation Guidance
### For Small Organizations
- **Focus on Simplicity:** Start by implementing the EID 4625 monitoring for newly created honey accounts, as this is often the easiest to set up and immediately provides a baseline for credential stuffing detection.
- **Use Built-in Tools:** Leverage PowerShell cmdlets (`New-ADUser`, `Set-ADAccountControl`, `Get-Acl`) directly from a domain-joined server for configuration, minimizing the need for complex external tooling initially.
### For Medium Organizations
- **Full Decoy Setup:** Implement the full lifecycle: decoy creation, UAC auditing via scripts (like OTRF's Set-AuditRule.ps1), and SPN assignment.
- **Log Source Integration:** Ensure event logs (Security and Directory Service event logs) containing EIDs 4625, 4662, and 4769 are being successfully shipped, normalized, and indexed in the SIEM/log analysis platform.
### For Large Enterprises
- **Automated Deployment:** Script the creation of multiple decoy accounts across different OUs and automate the `Set-AuditRule` configuration using existing configuration management or orchestration tools.
- **Advanced Query Tuning:** Refine KQL (or equivalent SIEM query language) logic to reduce false positives by excluding internal system processes that might generate expected log noise, improving the optics infrastructure's signal-to-noise ratio.
## Configuration Examples
| Action | Command/KQL Snippet (Conceptual) | Purpose |
| :--- | :--- | :--- |
| **List SPNs** | `setspn -T doazlab.com -Q */*` | Identify all discoverable service principals in the domain. |
| **Create Honey Account** | `New-ADUser -UserPrincipalName ricardo.beneficio@...` | Create the dedicated decoy user object. |
| **Enable UAC Audit** | Use `Set-AuditRule` targeting AttributeGUID `bf967a68-0de6-11d0-a285-00aa003049e2` for ReadProperty | Detect enumeration of the account's configuration. |
| **Detect Brute Force** | `SecurityEvent | where EventID == 4625 | where Account contains "ricardo.beneficio"` | Alert on repeated failed logins against the decoy. |
| **Detect Kerberoasting** | `SecurityEvent | where EventID == 4769 | parse EventData with * 'Status">' Status "' ServiceName "' SourceIP "` | Query for ticket requests against the decoy's SPN. |
## Compliance Alignment
While the context focuses on detection engineering, these security monitoring practices support compliance with:
- **NIST SP 800-53:** AC-2 (Account Management), AU-2 (Auditing and Accountability), AT-2 (Vulnerability Scanning/Monitoring).
- **ISO/IEC 27001:** A.12.4 (Logging and monitoring).
- **CIS Benchmarks:** Specific controls related to monitoring authentication events and privileged account usage.
## Common Pitfalls to Avoid
- **Relying Solely on User Principal Name (UPN) in EID 4662:** Be aware that many specific AD audit events rely on the `ObjectGUID`. Attempting to search only by the readable username will result in missed alerts.
- **Ignoring Noise:** If the audit configuration is too broad (e.g., auditing all attribute reads for all users without filtering), the resulting log volume will overwhelm monitoring capabilities, rendering the detection unusable.
- **Failing to Monitor Decoy Integrity:** If the decoy account is accidentally used for legitimate tasks, or its audit configurations are removed, the implemented detections will fail in production.
## Resources
- Microsoft Documentation on UserAccountControl (UAC) manipulation.
- OTRF Set-AuditRule.ps1 script (used for setting granular AD audit rules).
- Azure ARM template deployment resources (if using Azure labs for testing).