Digital Resilience Pays Off
How resilient is your organization? Learn how to mature your digital resilience with this free guide.
Active Directory Discovery Detection: Threat Research Release, September 2021
The Splunk threat research team recently developed a new analytic story to help security operations center (SOC) analysts detect adversaries executing discovery and reconnaissance tasks within Active Directory environments. In this blog post, we’ll walk you through this analytic story, demonstrate how we can simulate these attacks using PoshC2 & PurpleSharp to then collect and analyze the resulting telemetry to test our detections.
Watch the video below to see a demo on how we can simulate and detect Active Directory discovery techniques in a lab environment built with the Splunk Attack Range.
When adversaries obtain an initial foothold in an Active Directory network via a phishing email or a server-side exploit, they find themselves controlling an endpoint in a network they know nothing about. Thus, the next required step is to engage the environment by executing reconnaissance activities before deciding how to act next. The MITRE ATT&CK Discovery (TA0007) tactic consists of the techniques an adversary leverages to gain knowledge and gain situational awareness on a target network.
Active Directory contains a wealth of information invaluable for an adversary surveying a network. A commonly unknown fact is that most of this information can be queried and read without any special privileges in a Windows domain. A standard, unprivileged, compromised domain user (including a Computer account!) can engage Active Directory and obtain information like privileged and regular users, computers, groups and memberships, database instances, domain trusts, network shares, etc.
Open source threat intelligence reports, such as the DFIR Report, provide defenders with great insight on how threat actors execute these discovery techniques in Active Directory environments while leveraging Windows native command-line tools. In addition, the recently leaked Conti Ransomware gang playbook, essentially a hacking guide the Conti gang shared with its affiliates, also highlights the focus and effort put in by human-operated ransomware gangs into Active Directory discovery activities.
There are multiple approaches that rely on different data sources to detect this behavior. For this release, we wanted to provide coverage to identify discovery activities when adversaries leverage living off the land binaries and the PowerShell scripting language. Thus, we focused on the following data sources:
- Process Execution & Command Line Logging - Windows Security Event Id 4688, Sysmon, or any CIM compliant EDR technology.
- PowerShell Script Block Logging - Microsoft-Windows-PowerShell/Operational Event Id 4104. More information and extra content using this data source can be found on our recent blog post “Hunting for Malicious PowerShell using Script Block Logging”
Specifically, the new Analytic Story introduces 74 new detection analytics across 9 ATT&CK MITRE discovery techniques. We took each technique and tried to identify different ways a threat actor may execute it. Our goal with developing several detections for each technique is to maximize detection coverage and obtain resilience against these variations. As an example, an adversary may be able to leverage the following variations to enumerate groups in a Windows domain (T1069.002) (all detected in this release):
net group /domain net group ‘domain admins’ /domain dsquery group wmic /NAMESPACE:\\root\directory\ldap PATH ds_group wmic /NAMESPACE:\\root\directory\ldap PATH ds_group where "ds_samaccountname='Domain Admins'" Get ds_member /Value Get-AdGroup -Filter * Get-Wmiobject -class ds_group -namespace root\directory\ldap ([adsisearcher]"(&(objectcategory=group))").findAll() Get-DomainGroup Get-DomainGroupMember -Name "Domain Admins"
Cyber defenders can implement the released analytics for real-time security monitoring and hypothesis-driven threat hunting exercises. We are also releasing the datasets generated by executing these techniques as part of the Attack Data repository. The ATT&CK techniques in scope include:
| T1087.001 - Account Discovery: Local Account T1087.002 - Account Discovery: Domain Account T1482 - Domain Trust Discovery T1018 - Remote System Discovery T1201 - Password Policy Discovery T1069.001 - Permission Groups Discovery: Local Groups T1069.002 Permission Groups Discovery: Domain Groups T1049 - System Network Connections Discovery T1033 - System Owner/User Discovery |
Detection analytics that leverage the Process & Command line and PowerShell Script Block data sources provide coverage against the recent human-operated ransomware discovery techniques. However, threat actors who care about operational security may interact with Active Directory from a compromised endpoint without starting a new process nor using powershell. Additionally, detecting the abuse of native libraries and the LDAP protocol will require monitoring additional data sources like network or application telemetry, which we intend to cover in future releases.
Why Should You Care About Active Directory Discovery?
After adversaries obtain an initial foothold in Active Directory networks, their next step in most scenarios will be to engage in discovery & reconnaissance techniques. Defenders must have appropriate detections in place to prevent adversaries in achieving their goal. Monitoring and responding to Discovery techniques enables security operation teams to identify the early stages of an attack and prevent adversaries from achieving their objectives.
Detections
The “Active Directory Discovery” analytic story includes the following detection analytics. You may use these detection analytics to hunt for potential active directory discovery behavior. Some of them can be used in real-time monitoring while others are better suited for threat hunting exercises.
Name | Technique ID | Tactic | Description |
T1087.001 | Discovery | This analytic looks for the execution of `net.exe` or `net1.exe` with command-line arguments utilized to query for local users. The two arguments `user` and 'users', return a list of all local users. | |
T1087.001 | Discovery | This analytic looks for the execution of `wmic.exe` with command-line arguments utilized to query for local users. The argument `useraccount` is used to leverage WMI to return a list of all local users. | |
T1087.001 | Discovery | The following analytic utilize PowerShell Script Block Logging (EventCode=4104) to identify the execution of the Get-LocalUser` commandlet. The `Get-LocalUser` commandlet is used to return a list of all local users. | |
T1087.001 | Discovery | This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to query for local users. The `Get-LocalUser` commandlet is used to return a list of all local users. | |
T1087.001 | Discovery | The following analytic utilize PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-WmiObject` commandlet used with specific parameters. The `Win32_UserAccount` parameter is used to return a list of all local users/ | |
T1087.001 | Discovery | This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to query local users. The `Get-WmiObject` commandlet combined with the `Win32_UserAccount` parameter is used to return a list of all local users. | |
T1087.002 | Discovery | This analytic looks for the execution of `net.exe` or `net1.exe` with command-line arguments utilized to query for local users. | |
T1087.002 | Discovery | This analytic looks for the execution of `dsquery.exe` with command-line arguments utilized to discover domain users. | |
T1087.002 | Discovery | This analytic looks for the execution of `wmic.exe` with command-line arguments utilized to query for domain users. | |
T1087.002 | Discovery | The following analytic utilize PowerShell Script Block Logging (EventCode=4104) to identify the `[Adsisearcher]` type accelerator being used to query Active Directory for domain groups. | |
T1087.002 | Discovery | The following analytic utilize PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-WmiObject` commandlet. The `DS_User` class parameter leverages WMI to query for all domain users. | |
T1087.002 | Discovery | This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to query for domain users. The `Get-WmiObject` commandlet combined with the `-class ds_user` parameter can be used to return the full list of users in a Windows domain. | |
T1087.002 | Discovery | The following analytic utilize PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-AdGUser` commandlet. The `Get-AdUser` commandlet is used to return a list of all domain users. | |
T1087.002 | Discovery | This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to enumerate domain users. The `Get-AdUser' commandlet returns a list of all domain users. | |
T1087.002 | Discovery | The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-DomainUser` commandlet. `GetDomainUser` is part of PowerView, a PowerShell tool used to perform enumeration on Windows domains. | |
T1087.002 | Discovery | This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to enumerate domain users. `Get-DomainUser` is part of PowerView, a PowerShell tool used to perform enumeration on Windows domains. | |
T1482 | Discovery | This search looks for the execution of `nltest.exe` with command-line arguments utilized to query for Domain Trust information. Two arguments `/domain trusts`, returns a list of trusted domains, and `/all_trusts`, returns all trusted domains. | |
T1482 | Discovery | The following analytic identifies "dsquery.exe" execution with arguments looking for `TrustedDomain` query directly on the command-line. This is typically indicative of an Administrator or adversary performing domain trust discovery. | |
T1482 | Discovery | The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. This analytic identifies Get-DomainTrust from PowerView in order to gather domain trust information. | |
T1482 | Discovery | This analytic identifies Get-DomainTrust from PowerView in order to gather domain trust information. | |
T1482 | Discovery | The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. This analytic identifies Get-ForestTrust from PowerSploit in order to gather domain trust information. | |
T1482 | Discovery | This analytic identifies Get-ForestTrust from PowerSploit in order to gather domain trust information. | |
T1018 | Discovery | This analytic looks for the execution of `net.exe` or `net1.exe` with command-line arguments utilized to discover remote systems. The argument `domain` computers /domain` returns a list of all domain computers. | |
T1018 | Discovery | This analytic looks for the execution of `nltest.exe` with command-line arguments utilized to discover remote systems. The arguments `/dclist:` and '/dsgetdc:', can be used to return a list of all domain controllers. | |
T1018 | Discovery | This analytic looks for the execution of `dsquery.exe` with command-line arguments utilized to discover remote systems. The `computer` argument returns a list of all computers registered in the domain. | |
T1018 | Discovery | This analytic looks for the execution of `wmic.exe` with command-line arguments utilized to discover remote systems. The arguments utilized in this command line return a list of all domain controllers in a Windows domain. | |
T1018 | Discovery | This analytic looks for the execution of `wmic.exe` with command-line arguments utilized to discover remote systems. The arguments utilized in this command return a list of all the systems registered in the domain. | |
T1018 | Discovery | The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the Get-AdGroup` commandlet. The `Get-AdGroup` commandlet is used to return a list of all domain computers. | |
T1018 | Discovery | This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to discover remote systems. The `Get-AdComputer' commandlet returns a list of all domain computers. | |
T1018 | Discovery | The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the Get-WmiObject` commandlet. The `DS_Computer` class parameter leverages WMI to query for all domain computers. | |
T1018 | Discovery | This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to discover remote systems. The `Get-WmiObject` commandlet combined with the `DS_Computer` parameter can be used to return a list of all domain computers. | |
T1018 | Discovery | The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the `[Adsisearcher]` type accelerator being used to query Active Directory for domain computers. | |
T1018 | Discovery | The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the Get-DomainComputer` commandlet. `GetDomainComputer` is part of PowerView, a PowerShell tool used to perform enumeration on Windows domains. | |
T1018 | Discovery | This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to discover remote systems. `Get-DomainComputer` is part of PowerView, a PowerShell tool used to perform enumeration on Windows domains. | |
T1018 | Discovery | The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the Get-DomainController` commandlet. `Get-DomainController` is part of PowerView, a PowerShell tool used to perform enumeration on Windows domains. | |
T1018 | Discovery | This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to discover remote systems. `Get-DomainController` is part of PowerView, a PowerShell tool used to perform enumeration on Windows domains. | |
T1201 | Discovery | This analytic looks for the execution of `net.exe` or `net1.exe` with command line arguments used to obtain the domain password policy. | |
Get ADDefaultDomainPasswordPolicy with Powershell Script Block | T1201 | Discovery | The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `ADDefaultDomainPasswordPolicy` commandlet used to obtain the password policy in a Windows domain. |
T1201 | Discovery | This analytic looks for the execution of `powershell.exe` executing the Get-ADDefaultDomainPasswordPolicy commandlet used to obtain the password policy in a Windows domain. | |
Get ADUserResultantPasswordPolicy with Powershell Script Block | T1201 | Discovery | The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-ADUserResultantPasswordPolicy` commandlet used to obtain the password policy in a Windows domain. |
T1201 | Discovery | This analytic looks for the execution of `powershell.exe` executing the `Get ADUserResultantPasswordPolicy` commandlet used to obtain the password policy in a Windows domain. | |
T1201 | Discovery | The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-DomainPolicy` commandlet used to obtain the password policy in a Windows domain. | |
T1201 | Discovery | This analytic looks for the execution of `powershell.exe` executing the `Get-DomainPolicy` commandlet used to obtain the password policy in a Windows domain. | |
T1069.001 | Discovery | The following hunting analytic will identify the use of localgroup discovery using `net localgroup`. During triage, review parallel processes and identify any further suspicious behavior. | |
T1069.001 | Discovery | The following hunting analytic identifies the use of `wmic.exe` enumerating local groups on the endpoint. Typically, by itself, is not malicious but may raise suspicion based on time of day, endpoint and username. | |
Powershell Get LocalGroup Discovery with Script Block Logging | T1069.001 | Discovery | The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. This analytic identifies PowerShell cmdlet - `get-localgroup` being run. Typically, by itself, is not malicious but may raise suspicion based on time of day, endpoint and username. |
T1069.001 | Discovery | The following hunting analytic identifies the use of `get-localgroup` being used with PowerShell to identify local groups on the endpoint. During triage, review parallel processes and identify any further suspicious behavior. | |
T1069.001 | Discovery | The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify suspicious PowerShell execution. This analytic identifies the usage of Get-WMIObject Win32_Group`, which is typically used as a way to identify groups on the endpoint. | |
T1069.001 | Discovery | The following hunting analytic identifies the use of `Get-WMIObject Win32_Group` being used with PowerShell to identify local groups on the endpoint. \ Typically, by itself, is not malicious but may raise suspicion based on time of day, endpoint and username. | |
T1069.002 | Discovery | This analytic looks for the execution of `net.exe` with command-line arguments utilized to query for domain groups. The argument `group /domain`, returns a list of all domain groups. | |
T1069.002 | Discovery | This analytic looks for the execution of `net.exe` or `net1.exe` with command-line arguments utilized to query for specific elevated domain groups. | |
T1069.002 | Discovery | This analytic looks for the execution of `wmic.exe` with command-line arguments utilized to query for domain groups. The arguments utilized in this command return a list of all domain groups. | |
T1069.002 | Discovery | This analytic looks for the execution of `dsquery.exe` with command-line arguments utilized to query for domain groups. The argument `group`, returns a list of all domain groups. | |
T1069.002 | Discovery | This analytic looks for the execution of `wmic.exe` with command-line arguments utilized to query for specific domain groups. | |
T1069.002 | Discovery | The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the Get-AdGroup` commandlet. The `Get-AdGroup` commandlet is used to return a list of all domain groups. | |
T1069.002 | Discovery | This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to query for domain groups. The `Get-AdGroup` commandlet is used to return a list of all groups available in a Windows Domain. | |
T1069.002 | Discovery | The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-WmiObject` commandlet used with specific parameters. The `DS_Group` parameter leverages WMI to query for all domain groups. | |
T1069.002 | Discovery | This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to query for domain groups. The `Get-WmiObject` commandlet combined with the `-class ds_group` parameter can be used to return the full list of groups in a Windows domain. | |
T1069.002 | Discovery | The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the `[Adsisearcher]` type accelerator being used to query Active Directory for domain groups. | |
T1069.002 | Discovery | The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-DomainGroup` commandlet. `Get-DomainGroup` is part of PowerView, a PowerShell tool used to perform enumeration on Windows domains. | |
T1069.002 | Discovery | This analytic looks for the execution of `powershell.exe` with command-line arguments utilized to query for domain groups. `Get-DomainGroup` is part of PowerView, a PowerShell tool used to perform enumeration on Windows domains. | |
T1069.002 | Discovery | The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-DomainGroupMember` commandlet. `Get-DomainGroupMember` is part of PowerView, a PowerShell tool used to perform enumeration on Windows domains. | |
T1049 | Discovery | This analytic looks for the execution of `net.exe` with command-line arguments utilized to get a listing of network connections on a compromised system. | |
T1049 | Discovery | This analytic looks for the execution of `arp.exe` utilized to get a listing of network connections on a compromised system. | |
T1049 | Discovery | This analytic looks for the execution of `netstat.exe` with command-line arguments utilized to get a listing of network connections on a compromised system. | |
T1049 | Discovery | The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `Get-NetTcpconnection ` commandlet. This commandlet is used to return a listing of network connections on a compromised system. | |
T1049 | Discovery | This analytic looks for the execution of `powershell.exe` with command-line utilized to get a listing of network connections on a compromised system. The `Get-NetTcpConnection` commandlet lists the current TCP connections. | |
T1033 | Discovery | This analytic looks for the execution of `whoami.exe` without any arguments. This windows native binary prints out the current logged user. | |
T1033 | Discovery | This analytic looks for the execution of `query.exe` with command-line arguments utilized to discover the logged user. | |
T1033 | Discovery | The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the use of PowerShell environment variables to identify the current logged user. | |
T1033 | Discovery | This analytic looks for the execution of `powershell.exe` with command-line arguments that leverage PowerShell environment variables to identify the current logged user. | |
T1033 | Discovery | The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the `GetCurrent` method of the WindowsIdentity .NET class. This method returns an object that represents the current Windows user. | |
T1033 | Discovery | This analytic looks for the execution of `powershell.exe` with command-line arguments that execute the `GetCurrent` method of the WindowsIdentity .NET class. This method returns an object that represents the current Windows user. |
Learn More
You can find the latest content about security analytic stories on GitHub and in Splunkbase. Splunk Security Essentials also has all these detections now available via push update.
For a full list of security content, check out the release notes on Splunk Docs.
Feedback
Any feedback or requests? Feel free to put in an issue on Github and we’ll follow up. Alternatively, join us on the Slack channel #security-research. Follow these instructions If you need an invitation to our Splunk user groups on Slack.
Contributors
We would like to thank Mauricio Velazco, Michael Haag, and Teoderick Contreras for their contributions to this post and the “Active Directory Discovery” analytic story.
Related Articles
About Splunk
The world’s leading organizations rely on Splunk, a Cisco company, to continuously strengthen digital resilience with our unified security and observability platform, powered by industry-leading AI.
Our customers trust Splunk’s award-winning security and observability solutions to secure and improve the reliability of their complex digital environments, at any scale.
Subscribe to our blog
Get the latest articles from Splunk straight to your inbox.
Connect with Splunk on X
Follow @Splunk
Connect with Splunk on Instagram
Follow @Splunk
