property | value |
tags | active-directory,hunt-pipeline-2023,pkm-pocket-pipeline,threat-hunting,threat-hunting-ideas |
url | |
original_word_count | 1061 |
Article Excerpt
What is this article about? Showing attacks, compromising domain controllers or even introducing and showing hacking tools? NO. It is about giving you a jump start on how to gather targeted information about attacks and threats in your Active Directory.
Long Summary
This article provides a comprehensive overview of the different event ID's and best practices for Microsoft Active Directory security. It starts by discussing the importance of extended logging on domain controllers and the use of a SIEM (Security Information and Event Management) tool. It then goes on to discuss the different event ID's, such as 4769, 4624, 4611, 4673, and 4675, and how to search for attacks from user accounts used as service accounts, logons from remote systems, and accounts that are sensitive and cannot be delegated. It also covers the AdminSDHolder object, SDProp process, and GenericAll access rights.
The article then provides pictures to illustrate the "Dom" user account, which has no elevated privileges but a "GenericAll" connection. It also explains how to give users access to Group Policy Objects and how to assess unsecure SID History attributes. It then goes on to discuss DCSync, a legitimate Active Directory feature, and Event ID 4662. Finally, it provides advice on how to identify domain controller synchronization and ensure that it is only executed between known domain controllers.
In conclusion, this article provides a comprehensive overview of the different event ID's and best practices for Microsoft Active Directory security. It covers topics such as service accounts, logons from remote systems, AdminSDHolder object, SDProp process, GenericAll access rights, Group Policy Objects, SID History, DCSync, and Event ID 4662. It also provides advice on how to identify domain controller synchronization and ensure that it is only executed between known domain controllers. This article provides a solid foundation for those looking to secure their Active Directory environment.
Short Summary
š Advanced threat hunting within Active Directory Domain Services - Knowledge is power!
šš½ What is this article about? Showing attacks, compromising domain controllers or even introducing and showing hacking tools? NO. It is about giving you a jump start on how to gather targeted information about attacks and threats in your Active Directory. šš½ Comprehensive overview of Event IDs and best practices for Active Directory security šš½ Importance of extended logging and SIEM tool for domain controllers šš½ Different Event IDs to search for attacks and sensitive accounts šš½ AdminSDHolder object and GenericAll access rights explained šš½ Pictures illustrating the "Dom" user account and unsecure SID History attributes assessment šš½ Giving users access to Group Policy Objects šš½ Legitimate Active Directory feature DCSync and Event ID 4662 discussed šš½ Ensuring domain controller synchronization only executed between known domain controllers šš½ Solid foundation for securing Active Directory environment šš½ Essential information for those concerned with Active Directory security.
š source link: https://techcommunity.microsoft.com/t5/windows-server-for-it-pro/advanced-threat-hunting-within-active-directory-domain-services/td-p/3820214
š summarized content: https://hut.threathunterz.com/battlefield-intel/articles-and-reports/advanced-threat-hunting-within-active-directory-domain-services-knowledge-is-power
#ADSecurity #EventIDs #SIEM #AccessRights #DCSync