LoFP LoFP / service accounts or applications that routinely query active directory for information.

Techniques

Sample rules

Windows AD Privileged Object Access Activity

Description

Windows Active Directory contains numerous objects that grant elevated access to the domain they reside in. These objects should be rarely accessed by normal users or processes. Access attempts to one or more of these objects may be evidence of attacker enumeration of Active Directory.

Detection logic

`wineventlog_security` EventCode=4662 ObjectName IN ( "CN=Account Operators,*", "CN=Administrators,*", "CN=Backup Operators,*", "CN=Cert Publishers,*", "CN=Certificate Service DCOM Access,*", "CN=Domain Admins,*", "CN=Domain Controllers,*", "CN=Enterprise Admins,*", "CN=Enterprise Read-only Domain Controllers,*", "CN=Group Policy Creator Owners,*", "CN=Incoming Forest Trust Builders,*", "CN=Microsoft Exchange Servers,*", "CN=Network Configuration Operators,*", "CN=Power Users,*", "CN=Print Operators,*", "CN=Read-only Domain Controllers,*", "CN=Replicators,*", "CN=Schema Admins,*", "CN=Server Operators,*", "CN=Exchange Trusted Subsystem,*", "CN=Exchange Windows Permission,*", "CN=Organization Management,*") 
| rex field=ObjectName "CN\=(?<object_name>[^,]+)" 
| stats values(Computer) as dest, values(object_name) as object_name, dc(ObjectName) as object_count, min(_time) as firstTime, max(_time) as lastTime, count by SubjectUserName 
| rename SubjectUserName as user 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `windows_ad_privileged_object_access_activity_filter`

Windows AD Abnormal Object Access Activity

Description

Windows Active Directory contains numerous objects. A statistically significant increase in access to these objects may be evidence of attacker enumeration of Active Directory.

Detection logic

`wineventlog_security` EventCode=4662 
| stats min(_time) AS firstTime, max(_time) AS lastTime, dc(ObjectName) AS ObjectName_count, values(ObjectType) AS ObjectType, latest(Computer) AS dest count BY SubjectUserName 
| eventstats avg(ObjectName_count) AS average stdev(ObjectName_count) AS standarddev 
| eval limit = round((average+(standarddev*3)),0), user = SubjectUserName 
| where ObjectName_count > limit 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
| `windows_ad_abnormal_object_access_activity_filter`