STEALTHbits ProTip: Identifying Active Directory Attacks

STEALTHbits ProTip: Identifying Active Directory Attacks

Identifying Active Directory Attacks

Hacking Active Directory is most often associated with the process of elevating domain user access to domain admin access.  Monitoring domain controller events can help identify when this process has started.

The first phase of any attack is reconnaissance.  The attacker must learn about the environment to identify high-value targets.  For Active Directory, this starts with LDAP queries.

Active Directory Attacks, LDAP Query, Domain User Access, Domain User Management, StealthINTERCEPT

StealthINTERCEPT has built-in policies for monitoring LDAP queries to determine if an attacker has started to map out members of privileged accounts—or even service accounts based on SPNs.  Identifying where the queries originate, and what account is making these queries, is the first step in detecting potential threats against Active Directory.

Once the attacker has identified a potential target, an authentication attack may be used to try and obtain access to the target account.  StealthINTERCEPT has built-in analytics that monitor for authentication-based attacks suck as Golden Tickets and Brute Force attacks, as well authentication conditions such as concurrent logins and impersonations.

Authentication impersonation, active directory attacks, golden ticket, golden ticket attack, brute force, brute force attack, StealthINTERCEPT

It’s important to identify accounts that are getting locked out or have unusual activity.

  • What computer is generating this suspicious activity?
  • What account is under attack?
  • When did the attack happen?

Answering these questions helps identify the compromised machine and accounts that are trying to gain access or escalate privileges.

StealthINTERCEPT for Active Directory Attacks

StealthINTERCEPT: Real-time Change & Access Monitoring for Identifying Threats

StealthINTERCEPT is an agent-based solution that sends activity alerts in real-time to Security Information and Event Management (SIEM) solutions and security administrators to alert on various threat types.  It does not utilize native logging on domain controllers to identify these threats, so attackers cannot cover their tracks.

By monitoring for the beginning stages of Active Directory attacks, the potential threats can be eliminated before they gain access to other resources secured by Active Directory.

To learn more about how StealthINTERCEPT protects against Active Directory Attacks, please click here.

Don’t miss a post! Subscribe to The Insider Threat Security Blog here:

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Start a Free StealthAUDIT® Trial!

No risk. No obligation.