Detect Active Directory Compromise with SIEM Query Programming

Hi Everyone,

I attended a Semperis Purple Knight webinar hosted by Sean Deuby today. He mentioned the Five Eyes research document published by the Australian Government Signals Directorate called "Detecting and Mitigating Active Directory Compromises". Active Directory is a primary focal point for malicious actors so I would highly recommend to those who are utilizing a SIEM to take advantage of the knowledge in this document.

The document mentioned contains detection queries that can be programmed into a SIEM to alert on the following attack methods:

Detecting and Mitigating Active Directory Compromise

• Kerberoasting
• Authentication Server Response (AS-REP) Roasting
• Password Spraying
• MachineAccountQuota Compromise
• Unconstrained Delegation
• Password in Group Policy Preferences (GPP) Compromise
• Active Director Certificate Services (AD CS) Compromise
• Golden Certificate
• DCSync
• Dumping ntds.dit
• Golden Ticket
• Silver Ticket
• Golden Security Assertion Markup Language (SAML)
• Microsoft Entra Connect Compromise
• One-way Domain Trust Bypass
• Security Identifier (SID) History Compromise
• Skeleton Key

Detecting Active Directory Compromise with Canaries

The use canary objects in Active Directory is an effective technique to detect Active Directory compromises. The benefit of this technique is that it does not rely on correlating event logs, providing a strong indication a compromise has happened. Notably, this technique does not rely on detecting the tooling used by malicious actors (like some other detection techniques do), but instead detects the compromise itself. As such, it is more likely to accurately detect compromises against Active Directory.

The following Active Directory compromises can be detected using this technique:

• Kerberoasting
• AS-REP Roasting
• DCSync

Please note that the SIEM query programming will greatly improve your detection capabilities. The document also contains mitigation efforts that can be undertaken by other infrastructure teams to harden the various areas under their management so it would be extremely beneficial to collaborate with them on it. This is a great opportunity where everyone can come together to try to be as proactive as possible to avoid an incident that may have been able to be prevented by doing some upfront hardening efforts.