Browsed by
Category: Active Directory

Any AD themed blogs

What is Azure Active Directory?

What is Azure Active Directory?

High-Level Overview of Azure AD If you’re reading the Insider Threat Security Blog, I’m sure you’re familiar with Active Directory. We’ve covered many topics with on-premise Active Directory: from clean-up to advanced attacks and threat detection. But what about Azure Active Directory? Has your organization started to march into the cloud and begun the migration process? Perhaps you’re just looking to wrap your head around what Microsoft has to offer. STEALTHbits is here to help. Azure AD Overview At a…

Read More Read More

Fun with Active Directory’s AdminCount Attribute

Fun with Active Directory’s AdminCount Attribute

This blog post is part of a series about Active Directory attributes with values or behaviors that can be easily and inadvertently misinterpreted and misused. This series will provide information about these attributes, including both their limitations and their valid usages with respect to the administration of Active Directory. Active Directory is the primary authentication service used by the vast majority of organizations, including more than 95% of Fortune 500 companies. Consequently, Active Directory objects with elevated administrative privileges are…

Read More Read More

A Guide to Active Directory User Logon Metadata

A Guide to Active Directory User Logon Metadata

This blog post is the first in a series about Active Directory attributes with values or behaviors that can be easily and inadvertently misinterpreted and misused. This series will provide information about these attributes, including both their limitations and their valid usages with respect to the administration of Active Directory. Active Directory user objects possess a number of logon metadata attributes that are often leveraged in Active Directory audit reporting and administration. One of their most common uses is to…

Read More Read More

Five Challenges with Monitoring Active Directory Security Using Event Logs: Part 5

Five Challenges with Monitoring Active Directory Security Using Event Logs: Part 5

Now that we understand how monitoring authentication patterns and authentication-based attacks can lead to an overwhelming amount of data which prevents any meaningful analysis, we can focus on our fifth, and final challenge of monitoring critical systems. Challenge 5 – Permission Changes and Object Changes Some of the most important changes to monitor within Active Directory are the changes to the security of the containers and objects.  Permissions control who can elevate privileges by changing group policies, adding members to…

Read More Read More

Five Challenges with Monitoring Active Directory Security Using Event Logs: Part 4

Five Challenges with Monitoring Active Directory Security Using Event Logs: Part 4

The last post, we discussed monitoring directory reads. One of the limitations of Active Directory is it offers no easy way to monitor suspicious read events, which can help you detect reconnaissance activity and stop an attack before it happens. Now let’s look at the next challenge, tracking authentication events. Challenge Four – Tracking Authentication Events With the recent surge of credential-based attacks, monitoring authentication patterns is critical to identify compromised accounts, signs of pass-the-hash and pass-the-ticket attacks, forged Kerberos…

Read More Read More

Five Challenges with Monitoring Active Directory Security Using Event Logs: Part 3

Five Challenges with Monitoring Active Directory Security Using Event Logs: Part 3

So far in this series, we’ve learned that changes to groups with extensive privilege within an Active Directory (AD) environment are the target for many hackers. We then looked at how Active Directory isn’t able to log the changes made to Group Policy settings, which can lead to an attack or production outage. Challenge 3 – Monitoring Directory Reads Another aspect of detecting Active Directory attacks is understanding how users are reading and enumerating AD objects.  When attackers are looking…

Read More Read More

Five Challenges with Monitoring Active Directory Security Using Event Logs: Part 2

Five Challenges with Monitoring Active Directory Security Using Event Logs: Part 2

In the first blog of this series, we discussed how changes to groups with extensive privilege within an Active Directory (AD) environment are the target for many hackers. However, this is just one of the problems with monitoring critical systems. Challenge 2 – Group Policy Changes Group Policies are used to control and manage settings across all computers joined to Active Directory.  This includes critical security settings such as who has administrative access to systems and numerous others.  A simple…

Read More Read More

What are FSMO Roles in Active Directory?

What are FSMO Roles in Active Directory?

Active Directory allows object creations, updates, and deletions to be committed to any authoritative domain controller. This is possible because every Active Directory domain controller maintains a writable copy of its own domain’s partition – except, of course, Read-Only Domain Controllers. After a change has been committed, it is replicated automatically to other domain controllers through a process called multi-master replication. This behavior allows most operations to be processed reliably by multiple domain controllers and provides for high levels of…

Read More Read More

Five Challenges with Monitoring Active Directory Security Using Event Logs: Part 1

Five Challenges with Monitoring Active Directory Security Using Event Logs: Part 1

As the methods that attackers use to compromise credentials and data continue to evolve, it is increasingly important to monitor critical systems such as Active Directory (AD) for signs of malicious activities. Most customers turn to security information and event management (SIEM) products to provide this monitoring.  While these solutions may be extremely powerful, they ultimately depend on the Windows event logs that are populated by Active Directory.  Event logs can be very complicated to work with, and ultimately do…

Read More Read More

Least Privilege Access – A Pragmatic Approach Using Resource-Based Groups

Least Privilege Access – A Pragmatic Approach Using Resource-Based Groups

At STEALTHbits, we often describe Active Directory as holding ‘the keys to the kingdom’. It stores the users and groups that grant access to an organization’s most sensitive information and should be protected for this very reason.  From an access management perspective, most administrators will stand behind the best practice of assigning access to groups instead of users. This is because it not only makes administration and management of this access more efficient for them but also has real benefits…

Read More Read More

Start a Free StealthAUDIT® Trial!

No risk. No obligation.

Privacy Preference Center

      Necessary

      Advertising

      Analytics

      Other