Active Directory Discovery Detection: Threat Research Release, September 2021

The Splunk threat research team recently developed a new analytic story to help security operations center (SOC) analysts detect adversaries executing discovery and reconnaissance tasks within Active Directory environments. In this blog post, we’ll walk you through this analytic story, demonstrate how we can simulate these attacks using PoshC2 & PurpleSharp to then collect and analyze the resulting telemetry to test our detections.

Watch the video below to see a demo on how we can simulate and detect Active Directory discovery techniques in a lab environment built with the Splunk Attack Range.

When adversaries obtain an initial foothold in an Active Directory network via a phishing email or a server-side exploit, they find themselves controlling an endpoint in a network they know nothing about. Thus, the next required step is to engage the environment by executing reconnaissance activities before deciding how to act next. The MITRE ATT&CK Discovery (TA0007) tactic consists of the techniques an adversary leverages to gain knowledge and gain situational awareness on a target network.

Active Directory contains a wealth of information invaluable for an adversary surveying a network. A commonly unknown fact is that most of this information can be queried and read without any special privileges in a Windows domain. A standard, unprivileged, compromised domain user (including a Computer account!) can engage Active Directory and obtain information like privileged and regular users, computers, groups and memberships, database instances, domain trusts, network shares, etc.

Open source threat intelligence reports, such as the DFIR Report, provide defenders with great insight on how threat actors execute these discovery techniques in Active Directory environments while leveraging Windows native command-line tools. In addition, the recently leaked Conti Ransomware gang playbook, essentially a hacking guide the Conti gang shared with its affiliates, also highlights the focus and effort put in by human-operated ransomware gangs into Active Directory discovery activities.

There are multiple approaches that rely on different data sources to detect this behavior. For this release, we wanted to provide coverage to identify discovery activities when adversaries leverage living off the land binaries and the PowerShell scripting language. Thus, we focused on the following data sources:

• Process Execution & Command Line Logging - Windows Security Event Id 4688, Sysmon, or any CIM compliant EDR technology.
• PowerShell Script Block Logging - Microsoft-Windows-PowerShell/Operational Event Id 4104. More information and extra content using this data source can be found on our recent blog post “Hunting for Malicious PowerShell using Script Block Logging”

Specifically, the new Analytic Story introduces 74 new detection analytics across 9 ATT&CK MITRE discovery techniques. We took each technique and tried to identify different ways a threat actor may execute it. Our goal with developing several detections for each technique is to maximize detection coverage and obtain resilience against these variations. As an example, an adversary may be able to leverage the following variations to enumerate groups in a Windows domain (T1069.002) (all detected in this release):

net group /domain
net group ‘domain admins’ /domain
dsquery group
wmic /NAMESPACE:\\root\directory\ldap PATH ds_group
wmic /NAMESPACE:\\root\directory\ldap PATH ds_group where "ds_samaccountname='Domain Admins'" Get ds_member /Value
Get-AdGroup -Filter *
Get-Wmiobject -class ds_group -namespace root\directory\ldap
([adsisearcher]"(&(objectcategory=group))").findAll()
Get-DomainGroup
Get-DomainGroupMember -Name "Domain Admins"

Cyber defenders can implement the released analytics for real-time security monitoring and hypothesis-driven threat hunting exercises. We are also releasing the datasets generated by executing these techniques as part of the Attack Data repository. The ATT&CK techniques in scope include:

Detection analytics that leverage the Process & Command line and PowerShell Script Block data sources provide coverage against the recent human-operated ransomware discovery techniques. However, threat actors who care about operational security may interact with Active Directory from a compromised endpoint without starting a new process nor using powershell. Additionally, detecting the abuse of native libraries and the LDAP protocol will require monitoring additional data sources like network or application telemetry, which we intend to cover in future releases.

Why Should You Care About Active Directory Discovery?

After adversaries obtain an initial foothold in Active Directory networks, their next step in most scenarios will be to engage in discovery & reconnaissance techniques. Defenders must have appropriate detections in place to prevent adversaries in achieving their goal. Monitoring and responding to Discovery techniques enables security operation teams to identify the early stages of an attack and prevent adversaries from achieving their objectives.

Detections

The “Active Directory Discovery” analytic story includes the following detection analytics. You may use these detection analytics to hunt for potential active directory discovery behavior. Some of them can be used in real-time monitoring while others are better suited for threat hunting exercises.

Learn More

You can find the latest content about security analytic stories on GitHub and in Splunkbase. Splunk Security Essentials also has all these detections now available via push update.

For a full list of security content, check out the release notes on Splunk Docs.

• 3.29.0
• 3.28.0
• 3.27.1
• 3.27.0

Feedback

Any feedback or requests? Feel free to put in an issue on Github and we’ll follow up. Alternatively, join us on the Slack channel #security-research. Follow these instructions If you need an invitation to our Splunk user groups on Slack.

Contributors

We would like to thank Mauricio Velazco, Michael Haag, and Teoderick Contreras for their contributions to this post and the “Active Directory Discovery” analytic story.