SECURITY

Active Directory Discovery Detection: Threat Research Release, September 2021

By Splunk Threat Research Team October 04, 2021

The Splunk threat research team recently developed a new analytic story to help security operations center (SOC) analysts detect adversaries executing discovery and reconnaissance tasks within Active Directory environments. In this blog post, we’ll walk you through this analytic story, demonstrate how we can simulate these attacks using PoshC2 & PurpleSharp to then collect and analyze the resulting telemetry to test our detections.

Watch the video below to see a demo on how we can simulate and detect Active Directory discovery techniques in a lab environment built with the Splunk Attack Range.

When adversaries obtain an initial foothold in an Active Directory network via a phishing email or a server-side exploit, they find themselves controlling an endpoint in a network they know nothing about. Thus, the next required step is to engage the environment by executing reconnaissance activities before deciding how to act next. The MITRE ATT&CK Discovery (TA0007) tactic consists of the techniques an adversary leverages to gain knowledge and gain situational awareness on a target network.

Active Directory contains a wealth of information invaluable for an adversary surveying a network. A commonly unknown fact is that most of this information can be queried and read without any special privileges in a Windows domain. A standard, unprivileged, compromised domain user (including a Computer account!) can engage Active Directory and obtain information like privileged and regular users, computers, groups and memberships, database instances, domain trusts, network shares, etc.

Open source threat intelligence reports, such as the DFIR Report, provide defenders with great insight on how threat actors execute these discovery techniques in Active Directory environments while leveraging Windows native command-line tools. In addition, the recently leaked Conti Ransomware gang playbook, essentially a hacking guide the Conti gang shared with its affiliates, also highlights the focus and effort put in by human-operated ransomware gangs into Active Directory discovery activities.

There are multiple approaches that rely on different data sources to detect this behavior. For this release, we wanted to provide coverage to identify discovery activities when adversaries leverage living off the land binaries and the PowerShell scripting language. Thus, we focused on the following data sources:

Process Execution & Command Line Logging - Windows Security Event Id 4688, Sysmon, or any CIM compliant EDR technology.
PowerShell Script Block Logging - Microsoft-Windows-PowerShell/Operational Event Id 4104. More information and extra content using this data source can be found on our recent blog post “Hunting for Malicious PowerShell using Script Block Logging”

Specifically, the new Analytic Story introduces 74 new detection analytics across 9 ATT&CK MITRE discovery techniques. We took each technique and tried to identify different ways a threat actor may execute it. Our goal with developing several detections for each technique is to maximize detection coverage and obtain resilience against these variations. As an example, an adversary may be able to leverage the following variations to enumerate groups in a Windows domain (T1069.002) (all detected in this release):

net group /domain
net group ‘domain admins’ /domain
dsquery group
wmic /NAMESPACE:\\root\directory\ldap PATH ds_group
wmic /NAMESPACE:\\root\directory\ldap PATH ds_group where "ds_samaccountname='Domain Admins'" Get ds_member /Value
Get-AdGroup -Filter *
Get-Wmiobject -class ds_group -namespace root\directory\ldap
([adsisearcher]"(&(objectcategory=group))").findAll()
Get-DomainGroup
Get-DomainGroupMember -Name "Domain Admins"

Cyber defenders can implement the released analytics for real-time security monitoring and hypothesis-driven threat hunting exercises. We are also releasing the datasets generated by executing these techniques as part of the Attack Data repository. The ATT&CK techniques in scope include:

T1087.001 - Account Discovery: Local Account
T1087.002 - Account Discovery: Domain Account
T1482 - Domain Trust Discovery
T1018 - Remote System Discovery
T1201 - Password Policy Discovery
T1069.001 - Permission Groups Discovery: Local Groups
T1069.002 Permission Groups Discovery: Domain Groups
T1049 - System Network Connections Discovery
T1033 - System Owner/User Discovery

Detection analytics that leverage the Process & Command line and PowerShell Script Block data sources provide coverage against the recent human-operated ransomware discovery techniques. However, threat actors who care about operational security may interact with Active Directory from a compromised endpoint without starting a new process nor using powershell. Additionally, detecting the abuse of native libraries and the LDAP protocol will require monitoring additional data sources like network or application telemetry, which we intend to cover in future releases.

Why Should You Care About Active Directory Discovery?

After adversaries obtain an initial foothold in Active Directory networks, their next step in most scenarios will be to engage in discovery & reconnaissance techniques. Defenders must have appropriate detections in place to prevent adversaries in achieving their goal. Monitoring and responding to Discovery techniques enables security operation teams to identify the early stages of an attack and prevent adversaries from achieving their objectives.

Detections

The “Active Directory Discovery” analytic story includes the following detection analytics. You may use these detection analytics to hunt for potential active directory discovery behavior. Some of them can be used in real-time monitoring while others are better suited for threat hunting exercises.

Name	Technique ID	Tactic	Description
Local Account Discovery With Net	T1087.001	Discovery	This analytic looks for the execution of `net.exe` or `net1.exe` with command-line arguments utilized to query for local users. The two arguments `user` and 'users', return a list of all local users.
Local Account Discovery With Wmic	T1087.001	Discovery	This analytic looks for the execution of `wmic.exe` with command-line arguments utilized to query for local users. The argument `useraccount` is used to leverage WMI to return a list of all local users.
GetLocalUser with PowerShell Script Block	T1087.001	Discovery	The following analytic utilize PowerShell Script Block Logging (EventCode=4104) to identify the execution of the Get-LocalUser` commandlet. The `Get-LocalUser` commandlet is used to return a list of all local users.
GetLocalUser with PowerShell	T1087.001	Discovery	This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to query for local users. The `Get-LocalUser` commandlet is used to return a list of all local users.
GetWmiObject User Account with PowerShell Script Block	T1087.001	Discovery	The following analytic utilize PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-WmiObject` commandlet used with specific parameters. The `Win32_UserAccount` parameter is used to return a list of all local users/
GetWmiObject User Account with PowerShell	T1087.001	Discovery	This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to query local users. The `Get-WmiObject` commandlet combined with the `Win32_UserAccount` parameter is used to return a list of all local users.
Domain Account Discovery with Net	T1087.002	Discovery	This analytic looks for the execution of `net.exe` or `net1.exe` with command-line arguments utilized to query for local users.
Domain Account Discovery with Dsquery	T1087.002	Discovery	This analytic looks for the execution of `dsquery.exe` with command-line arguments utilized to discover domain users.
Domain Account Discovery with Wmic	T1087.002	Discovery	This analytic looks for the execution of `wmic.exe` with command-line arguments utilized to query for domain users.
AdsiSearcher Account Discovery	T1087.002	Discovery	The following analytic utilize PowerShell Script Block Logging (EventCode=4104) to identify the `[Adsisearcher]` type accelerator being used to query Active Directory for domain groups.
GetWmiObject DS_User with PowerShell Script Block	T1087.002	Discovery	The following analytic utilize PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-WmiObject` commandlet. The `DS_User` class parameter leverages WMI to query for all domain users.
GetWmiObject DS_User with PowerShell	T1087.002	Discovery	This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to query for domain users. The `Get-WmiObject` commandlet combined with the `-class ds_user` parameter can be used to return the full list of users in a Windows domain.
Get-ADUser with PowerShell Script Block	T1087.002	Discovery	The following analytic utilize PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-AdGUser` commandlet. The `Get-AdUser` commandlet is used to return a list of all domain users.
Get-ADUser with PowerShell	T1087.002	Discovery	This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to enumerate domain users. The `Get-AdUser' commandlet returns a list of all domain users.
Get-DomainUser with PowerShell Script Block	T1087.002	Discovery	The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-DomainUser` commandlet. `GetDomainUser` is part of PowerView, a PowerShell tool used to perform enumeration on Windows domains.
Get-DomainUser with PowerShell	T1087.002	Discovery	This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to enumerate domain users. `Get-DomainUser` is part of PowerView, a PowerShell tool used to perform enumeration on Windows domains.
NLTest Domain Trust Discovery	T1482	Discovery	This search looks for the execution of `nltest.exe` with command-line arguments utilized to query for Domain Trust information. Two arguments `/domain trusts`, returns a list of trusted domains, and `/all_trusts`, returns all trusted domains.
DSQuery Domain Discovery	T1482	Discovery	The following analytic identifies "dsquery.exe" execution with arguments looking for `TrustedDomain` query directly on the command-line. This is typically indicative of an Administrator or adversary performing domain trust discovery.
Get-DomainTrust with PowerShell Script Block	T1482	Discovery	The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. This analytic identifies Get-DomainTrust from PowerView in order to gather domain trust information.
Get-DomainTrust with PowerShell	T1482	Discovery	This analytic identifies Get-DomainTrust from PowerView in order to gather domain trust information.
Get-ForestTrust with PowerShell Script Block	T1482	Discovery	The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. This analytic identifies Get-ForestTrust from PowerSploit in order to gather domain trust information.
Get-ForestTrust with PowerShell	T1482	Discovery	This analytic identifies Get-ForestTrust from PowerSploit in order to gather domain trust information.
Remote System Discovery with Net	T1018	Discovery	This analytic looks for the execution of `net.exe` or `net1.exe` with command-line arguments utilized to discover remote systems. The argument `domain` computers /domain` returns a list of all domain computers.
Domain Controller Discovery with Nltest	T1018	Discovery	This analytic looks for the execution of `nltest.exe` with command-line arguments utilized to discover remote systems. The arguments `/dclist:` and '/dsgetdc:', can be used to return a list of all domain controllers.
Remote System Discovery with Dsquery	T1018	Discovery	This analytic looks for the execution of `dsquery.exe` with command-line arguments utilized to discover remote systems. The `computer` argument returns a list of all computers registered in the domain.
Domain Controller Discovery with Wmic	T1018	Discovery	This analytic looks for the execution of `wmic.exe` with command-line arguments utilized to discover remote systems. The arguments utilized in this command line return a list of all domain controllers in a Windows domain.
Remote System Discovery with Wmic	T1018	Discovery	This analytic looks for the execution of `wmic.exe` with command-line arguments utilized to discover remote systems. The arguments utilized in this command return a list of all the systems registered in the domain.
GetAdComputer with PowerShell Script Block	T1018	Discovery	The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the Get-AdGroup` commandlet. The `Get-AdGroup` commandlet is used to return a list of all domain computers.
GetAdComputer with PowerShell	T1018	Discovery	This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to discover remote systems. The `Get-AdComputer' commandlet returns a list of all domain computers.
GetWmiObject Ds Computer with PowerShell Script Block	T1018	Discovery	The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the Get-WmiObject` commandlet. The `DS_Computer` class parameter leverages WMI to query for all domain computers.
GetWmiObject Ds Computer with PowerShell	T1018	Discovery	This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to discover remote systems. The `Get-WmiObject` commandlet combined with the `DS_Computer` parameter can be used to return a list of all domain computers.
Remote System Discovery with Adsisearcher	T1018	Discovery	The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the `[Adsisearcher]` type accelerator being used to query Active Directory for domain computers.
GetDomainComputer with PowerShell Script Block	T1018	Discovery	The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the Get-DomainComputer` commandlet. `GetDomainComputer` is part of PowerView, a PowerShell tool used to perform enumeration on Windows domains.
GetDomainComputer with PowerShell	T1018	Discovery	This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to discover remote systems. `Get-DomainComputer` is part of PowerView, a PowerShell tool used to perform enumeration on Windows domains.
GetDomainController with PowerShell Script Block	T1018	Discovery	The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the Get-DomainController` commandlet. `Get-DomainController` is part of PowerView, a PowerShell tool used to perform enumeration on Windows domains.
GetDomainController with PowerShell	T1018	Discovery	This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to discover remote systems. `Get-DomainController` is part of PowerView, a PowerShell tool used to perform enumeration on Windows domains.
Password Policy Discovery with Net	T1201	Discovery	This analytic looks for the execution of `net.exe` or `net1.exe` with command line arguments used to obtain the domain password policy.
Get ADDefaultDomainPasswordPolicy with Powershell Script Block	T1201	Discovery	The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `ADDefaultDomainPasswordPolicy` commandlet used to obtain the password policy in a Windows domain.
Get ADDefaultDomainPasswordPolicy with Powershell	T1201	Discovery	This analytic looks for the execution of `powershell.exe` executing the Get-ADDefaultDomainPasswordPolicy commandlet used to obtain the password policy in a Windows domain.
Get ADUserResultantPasswordPolicy with Powershell Script Block	T1201	Discovery	The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-ADUserResultantPasswordPolicy` commandlet used to obtain the password policy in a Windows domain.
Get ADUserResultantPasswordPolicy with Powershell	T1201	Discovery	This analytic looks for the execution of `powershell.exe` executing the `Get ADUserResultantPasswordPolicy` commandlet used to obtain the password policy in a Windows domain.
Get DomainPolicy with Powershell Script Block	T1201	Discovery	The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-DomainPolicy` commandlet used to obtain the password policy in a Windows domain.
Get DomainPolicy with Powershell	T1201	Discovery	This analytic looks for the execution of `powershell.exe` executing the `Get-DomainPolicy` commandlet used to obtain the password policy in a Windows domain.
Net Localgroup Discovery	T1069.001	Discovery	The following hunting analytic will identify the use of localgroup discovery using `net localgroup`. During triage, review parallel processes and identify any further suspicious behavior.
Wmic Group Discovery	T1069.001	Discovery	The following hunting analytic identifies the use of `wmic.exe` enumerating local groups on the endpoint. Typically, by itself, is not malicious but may raise suspicion based on time of day, endpoint and username.
Powershell Get LocalGroup Discovery with Script Block Logging	T1069.001	Discovery	The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. This analytic identifies PowerShell cmdlet - `get-localgroup` being run. Typically, by itself, is not malicious but may raise suspicion based on time of day, endpoint and username.
PowerShell Get LocalGroup Discovery	T1069.001	Discovery	The following hunting analytic identifies the use of `get-localgroup` being used with PowerShell to identify local groups on the endpoint. During triage, review parallel processes and identify any further suspicious behavior.
Get WMIObject Group Discovery with Script Block Logging	T1069.001	Discovery	The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. This analytic identifies the usage of Get-WMIObject Win32_Group`, which is typically used as a way to identify groups on the endpoint.
Get WMIObject Group Discovery	T1069.001	Discovery	The following hunting analytic identifies the use of `Get-WMIObject Win32_Group` being used with PowerShell to identify local groups on the endpoint. \ Typically, by itself, is not malicious but may raise suspicion based on time of day, endpoint and username.
Domain Group Discovery With Net	T1069.002	Discovery	This analytic looks for the execution of `net.exe` with command-line arguments utilized to query for domain groups. The argument `group /domain`, returns a list of all domain groups.
Elevated Group Discovery With Net	T1069.002	Discovery	This analytic looks for the execution of `net.exe` or `net1.exe` with command-line arguments utilized to query for specific elevated domain groups.
Domain Group Discovery With Wmic	T1069.002	Discovery	This analytic looks for the execution of `wmic.exe` with command-line arguments utilized to query for domain groups. The arguments utilized in this command return a list of all domain groups.
Domain Group Discovery With Dsquery	T1069.002	Discovery	This analytic looks for the execution of `dsquery.exe` with command-line arguments utilized to query for domain groups. The argument `group`, returns a list of all domain groups.
Elevated Group Discovery With Wmic	T1069.002	Discovery	This analytic looks for the execution of `wmic.exe` with command-line arguments utilized to query for specific domain groups.
Get-AdGroup with PowerShell Script Block	T1069.002	Discovery	The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the Get-AdGroup` commandlet. The `Get-AdGroup` commandlet is used to return a list of all domain groups.
Get-AdGroup with PowerShell	T1069.002	Discovery	This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to query for domain groups. The `Get-AdGroup` commandlet is used to return a list of all groups available in a Windows Domain.
GetWmiObject Ds Group with PowerShell Script Block	T1069.002	Discovery	The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-WmiObject` commandlet used with specific parameters. The `DS_Group` parameter leverages WMI to query for all domain groups.
GetWmiObject Ds Group with PowerShell	T1069.002	Discovery	This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to query for domain groups. The `Get-WmiObject` commandlet combined with the `-class ds_group` parameter can be used to return the full list of groups in a Windows domain.
Domain Group Discovery with Adsisearcher	T1069.002	Discovery	The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the `[Adsisearcher]` type accelerator being used to query Active Directory for domain groups.
GetDomainGroup with PowerShell Script Block	T1069.002	Discovery	The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-DomainGroup` commandlet. `Get-DomainGroup` is part of PowerView, a PowerShell tool used to perform enumeration on Windows domains.
GetDomainGroup with PowerShell	T1069.002	Discovery	This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to query for domain groups. `Get-DomainGroup` is part of PowerView, a PowerShell tool used to perform enumeration on Windows domains.
Elevated Group Discovery with PowerView	T1069.002	Discovery	The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-DomainGroupMember` commandlet. `Get-DomainGroupMember` is part of PowerView, a PowerShell tool used to perform enumeration on Windows domains.
Network Connection Discovery With Net	T1049	Discovery	This analytic looks for the execution of `net.exe` with command-line arguments utilized to get a listing of network connections on a compromised system.
Network Connection Discovery With Arp	T1049	Discovery	This analytic looks for the execution of `arp.exe` utilized to get a listing of network connections on a compromised system.
Network Connection Discovery With Netstat	T1049	Discovery	This analytic looks for the execution of `netstat.exe` with command-line arguments utilized to get a listing of network connections on a compromised system.
GetNetTcpconnection with PowerShell Script Block	T1049	Discovery	The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-NetTcpconnection ` commandlet. This commandlet is used to return a listing of network connections on a compromised system.
GetNetTcpconnection with PowerShell	T1049	Discovery	This analytic looks for the execution of `powershell.exe` with command-line utilized to get a listing of network connections on a compromised system. The `Get-NetTcpConnection` commandlet lists the current TCP connections.
System User Discovery With Whoami	T1033	Discovery	This analytic looks for the execution of `whoami.exe` without any arguments. This windows native binary prints out the current logged user.
System User Discovery With Query	T1033	Discovery	This analytic looks for the execution of `query.exe` with command-line arguments utilized to discover the logged user.
User Discovery With Env Vars PowerShell Script Block	T1033	Discovery	The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the use of PowerShell environment variables to identify the current logged user.
User Discovery With Env Vars PowerShell	T1033	Discovery	This analytic looks for the execution of `powershell.exe` with command-line arguments that leverage PowerShell environment variables to identify the current logged user.
GetCurrent User with PowerShell Script Block	T1033	Discovery	The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `GetCurrent` method of the WindowsIdentity .NET class. This method returns an object that represents the current Windows user.
GetCurrent User with PowerShell	T1033	Discovery	This analytic looks for the execution of `powershell.exe` with command-line arguments that execute the `GetCurrent` method of the WindowsIdentity .NET class. This method returns an object that represents the current Windows user.

Learn More

You can find the latest content about security analytic stories on GitHub and in Splunkbase. Splunk Security Essentials also has all these detections now available via push update.

For a full list of security content, check out the release notes on Splunk Docs.

Feedback

Any feedback or requests? Feel free to put in an issue on Github and we’ll follow up. Alternatively, join us on the Slack channel #security-research. Follow these instructions If you need an invitation to our Splunk user groups on Slack.

Contributors

We would like to thank Mauricio Velazco, Michael Haag, and Teoderick Contreras for their contributions to this post and the “Active Directory Discovery” analytic story.

Posted by

Splunk Threat Research Team

The Splunk Threat Research Team is an active part of a customer’s overall defense strategy by enhancing Splunk security offerings with verified research and security content such as use cases, detection searches, and playbooks. We help security teams around the globe strengthen operations by providing tactical guidance and insights to detect, investigate and respond against the latest threats. The Splunk Threat Research Team focuses on understanding how threats, actors, and vulnerabilities work, and the team replicates attacks which are stored as datasets in the Attack Data repository.

Our goal is to provide security teams with research they can leverage in their day to day operations and to become the industry standard for SIEM detections. We are a team of industry-recognized experts who are encouraged to improve the security industry by sharing our work with the community via conference talks, open-sourcing projects, and writing white papers or blogs. You will also find us presenting our research at conferences such as Defcon, Blackhat, RSA, and many more.