A database and set of services that allows administrators to manage permissions, access to network resources, and stored data objects (user, group, application, or devices)[1]
Requests for authentication credentials via Kerberos or other methods like NTLM and LDAP queries. Examples:
Data Collection Measures:
Audit Kerberos Authentication Service" or "Audit Kerberos Service Ticket Operations."Requests for authentication credentials via Kerberos or other methods like NTLM and LDAP queries. Examples:
Data Collection Measures:
Audit Kerberos Authentication Service" or "Audit Kerberos Service Ticket Operations."| Domain | ID | Name | Detects | |
|---|---|---|---|---|
| Enterprise | T1649 | Steal or Forge Authentication Certificates |
Monitor AD CS certificate requests (ex: EID 4886) as well as issued certificates (ex: EID 4887) for abnormal activity, including unexpected certificate enrollments and signs of abuse within certificate attributes (such as abusable EKUs).[2] |
|
| Enterprise | T1558 | Steal or Forge Kerberos Tickets |
Monitor for anomalous Kerberos activity, such as malformed or blank fields in Windows logon/logoff events (Event ID 4624, 4672, 4634), RC4 encryption within ticket granting tickets (TGTs), and ticket granting service (TGS) requests without preceding TGT requests.[3][4][5]Monitor the lifetime of TGT tickets for values that differ from the default domain duration.[6] Monitor for indications of Pass the Ticket being used to move laterally. |
|
| .001 | Golden Ticket |
Monitor for anomalous Kerberos activity, such as malformed or blank fields in Windows logon/logoff events (Event ID 4769, 4768), RC4 encryption within TGTs, and TGS requests without preceding TGT requests. Monitor the lifetime of TGT tickets for values that differ from the default domain duration. Monitor for indications of Pass the Ticket being used to move laterally. |
||
| .003 | Kerberoasting |
Monitor for anomalous Kerberos activity, such as enabling Audit Kerberos Service Ticket Operations to log Kerberos TGS service ticket requests. Particularly investigate irregular patterns of activity (ex: accounts making numerous requests, Event ID 4769, within a small time frame, especially if they also request RC4 encryption [Type 0x17]). |
||
| .004 | AS-REP Roasting |
Monitor for anomalous activity, such as enabling Audit Kerberos Service Ticket Operations to log Kerberos TGS service ticket requests. Particularly investigate irregular patterns of activity (ex: accounts making numerous requests, Event ID 4768 and 4769, within a small time frame, especially if they also request RC4 encryption [Type 0x17], pre-authentication not required [Type: 0x0]). |
||
| Enterprise | T1550 | Use Alternate Authentication Material |
Monitor requests of new ticket granting ticket or service tickets to a Domain Controller, such as Windows EID 4769 or 4768, that may use alternate authentication material, such as password hashes, Kerberos tickets, and application access tokens, in order to move laterally within an environment and bypass normal system access controls. |
|
| .002 | Pass the Hash |
Monitor requests of new ticket granting ticket or service tickets to a Domain Controller. Windows Security events such as 4768 (A Kerberos authentication ticket (TGT) was requested) and 4769 (A Kerberos service ticket was requested) combined with logon session creation information may be indicative of an overpass the hash attempt. |
||
| .003 | Pass the Ticket |
Monitor requests of new ticket granting ticket or service tickets to a Domain Controller. Event ID 4769 is generated on the Domain Controller when using a golden ticket after the KRBTGT password has been reset twice, as mentioned in the mitigation section. The status code 0x1F indicates the action has failed due to "Integrity check on decrypted field failed" and indicates misuse by a previously invalidated golden ticket.[5] |
||
Object access refers to activities where AD objects (e.g., user accounts, groups, policies) are accessed or queried. Example: Windows Event ID 4661 logs object access attempts. Examples:
userPassword, memberOf, securityDescriptor.samAccountName, lastLogonTimestamp.Data Collection Measures:
Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > Object AccessEnable: Audit Directory Service Access (Success and Failure).Domain Admins group.userPassword, ntSecurityDescriptor.Object access refers to activities where AD objects (e.g., user accounts, groups, policies) are accessed or queried. Example: Windows Event ID 4661 logs object access attempts. Examples:
userPassword, memberOf, securityDescriptor.samAccountName, lastLogonTimestamp.Data Collection Measures:
Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > Object AccessEnable: Audit Directory Service Access (Success and Failure).Domain Admins group.userPassword, ntSecurityDescriptor.| Domain | ID | Name | Detects | |
|---|---|---|---|---|
| Enterprise | T1615 | Group Policy Discovery |
Monitor for abnormal LDAP queries with filters for |
|
| Enterprise | T1003 | OS Credential Dumping |
Monitor domain controller logs for replication requests and other unscheduled activity possibly associated with DCSync. [7] [8] [9] Note: Domain controllers may not log replication requests originating from the default domain controller account. [10]. Monitor for replication requests [11] from IPs not associated with known domain controllers. [12] Analytic 1 - Suspicious Replication Requests
|
|
| .006 | DCSync |
Monitor domain controller logs for replication requests and other unscheduled activity possibly associated with DCSync.[7] [8] [9] Note: Domain controllers may not log replication requests originating from the default domain controller account.[10] Analytic 1 - Monitor for replication requests from IPs not associated with known domain controllers.
|
||
| Enterprise | T1033 | System Owner/User Discovery |
Monitor domain controller logs for replication requests and other unscheduled activity possibly associated with DCSync. [7] [8] [9] Note: Domain controllers may not log replication requests originating from the default domain controller account. [10]. Monitor for replication requests [11] from IPs not associated with known domain controllers. [12] |
|
Creating new objects in AD, such as user accounts, groups, organizational units (OUs), or trust relationships. Logged as Event ID 5137. Examples:
Data Collection Measures:
Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > Directory Service Changes.Creating new objects in AD, such as user accounts, groups, organizational units (OUs), or trust relationships. Logged as Event ID 5137. Examples:
Data Collection Measures:
Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > Directory Service Changes.| Domain | ID | Name | Detects | |
|---|---|---|---|---|
| Enterprise | T1098 | .001 | Account Manipulation: Additional Cloud Credentials |
Monitor M365 Audit logs for Analytic 1 - Creation of applications with unusual permissions or from suspicious user agents/IPs. Note: To detect the creation of potentially malicious applications using hijacked admin credentials or from unusual IP addresses.
Analytic 2 - Creation of service principals with suspicious user agents or from unusual IP addresses. Note: To detect the creation of potentially malicious service principals using hijacked admin credentials or from unusual IP addresses.
|
| .005 | Account Manipulation: Device Registration |
Monitor for the registration or joining of new device objects in Active Directory. Raise alerts when new devices are registered or joined without using MFA.[13] Analytic 1 - Device registration events with suspicious user agents, unusual OS types, OS versions, or display names. Note: To detect the registration of potentially malicious devices using hijacked admin credentials or from unusual IP addresses.
|
||
| Enterprise | T1484 | Domain or Tenant Policy Modification |
Monitor for newly constructed active directory objects, such as Windows EID 5137. |
|
| .001 | Group Policy Modification |
Monitor for newly constructed active directory objects, such as Windows EID 5137. |
||
| .002 | Trust Modification |
Monitor for newly constructed active directory objects, such as Windows EID 5137. |
||
| Enterprise | T1207 | Rogue Domain Controller |
Baseline and periodically analyze the Configuration partition of the AD schema and alert on creation of nTDSDSA objects.[14] |
|
Object deletion in AD (e.g., user accounts, groups, OUs) is logged as Event ID 5141. Examples:
Data Collection Measures:
Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > Directory Service Changes.Object deletion in AD (e.g., user accounts, groups, OUs) is logged as Event ID 5141. Examples:
Data Collection Measures:
Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > Directory Service Changes.| Domain | ID | Name | Detects | |
|---|---|---|---|---|
| Enterprise | T1484 | Domain or Tenant Policy Modification |
Monitor for unexpected deletion of an active directory object, such as Windows EID 5141. |
|
| .001 | Group Policy Modification |
Monitor for unexpected deletion of an active directory object, such as Windows EID 5141. |
||
Changes to AD objects (e.g., users, groups, OUs) are logged as Event ID 5136 (Object Modification) or 5163 (Attribute Changes). Examples:
Data Collection Measures:
Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > Directory Service Changes.Changes to AD objects (e.g., users, groups, OUs) are logged as Event ID 5136 (Object Modification) or 5163 (Attribute Changes). Examples:
Data Collection Measures:
Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > Directory Service Changes.| Domain | ID | Name | Detects | |
|---|---|---|---|---|
| Enterprise | T1134 | Access Token Manipulation |
Monitor for changes made to AD settings that may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. |
|
| .005 | SID-History Injection |
Monitor for changes to account management events on Domain Controllers for successful and failed changes to SID-History. [15] [16] |
||
| Enterprise | T1531 | Account Access Removal |
Monitor for changes made to AD settings for unexpected modifications to user accounts, such as deletions or potentially malicious changes to user attributes (credentials, status, etc.). Analytic 1 - Unusual password change operations
|
|
| Enterprise | T1098 | Account Manipulation |
Monitor for the registration or joining of new device objects in Active Directory. Raise alerts when new devices are registered or joined without using MFA.[13] |
|
| .001 | Additional Cloud Credentials |
Monitor M365 Audit logs for Analytic 1 - Suspicious modifications to RequiredResourceAccess, unexpected user agents, unusual modification times. Note: To detect suspicious updates to applications which might indicate the granting of unauthorized permissions or impersonation access.
Analytic 2 - Suspicious key descriptions, unexpected user agents, unusual modification times. Note: To detect suspicious updates to application certificates and secrets, which might indicate unauthorized access or changes.
Analytic 3 - Suspicious service principal names, unexpected user agents, unusual modification times. Note: To detect suspicious updates to service principals, which might indicate unauthorized access or changes.
|
||
| Enterprise | T1037 | Boot or Logon Initialization Scripts |
Monitor for changes made in the Active Directory that may use scripts automatically executed at boot or logon initialization to establish persistence. |
|
| .003 | Network Logon Script |
Monitor for changes made in the Active Directory that may use network logon scripts automatically executed at logon initialization to establish persistence. |
||
| Enterprise | T1671 | Cloud Application Integration |
Monitor M365 Audit logs for the Operations |
|
| Enterprise | T1484 | Domain or Tenant Policy Modification |
Monitor for changes made to AD settings for unexpected modifications to user accounts, such as deletions or potentially malicious changes to user attributes (credentials, status, etc.). |
|
| .001 | Group Policy Modification |
Monitor for changes made to AD settings for unexpected modifications to user accounts, such as deletions or potentially malicious changes to user attributes (credentials, status, etc.). |
||
| .002 | Trust Modification |
Monitor for changes made to AD settings for unexpected modifications to domain trust settings, such as when a user or application modifies the federation settings on the domain. |
||
| Enterprise | T1222 | File and Directory Permissions Modification |
Monitor for changes made to ACLs and file/directory ownership. Many of the commands used to modify ACLs and file/directory ownership are built-in system utilities and may generate a high false positive alert rate, so compare against baseline knowledge for how systems are typically used and correlate modification events with other indications of malicious activity where possible. |
|
| .001 | Windows File and Directory Permissions Modification |
Monitor for changes made to DACLs and file/directory ownership. Many of the commands used to modify DACLs and file/directory ownership are built-in system utilities and may generate a high false positive alert rate, so compare against baseline knowledge for how systems are typically used and correlate modification events with other indications of malicious activity where possible. |
||
| Enterprise | T1556 | Modify Authentication Process |
Monitor for changes made to AD security settings related to MFA logon requirements, such as changes to Azure AD Conditional Access Policies or the registration of new MFA applications. Monitor for changes made to security settings related to Azure AD Conditional Access Policies. These can be found in the Azure AD audit log under the operation name Analytic 1 - Changes to AD security settings outside of normal maintenance windows.
|
|
| .005 | Reversible Encryption |
Monitor property changes in Group Policy: Analytic 1 - Enabling reversible encryption outside of standard procedures.
|
||
| .006 | Multi-Factor Authentication |
Monitor for changes made to AD security settings related to MFA logon requirements, such as changes to Azure AD Conditional Access Policies or the registration of new MFA applications. |
||
| .009 | Conditional Access Policies |
Monitor for changes made to security settings related to Entra ID Conditional Access Policies. For example, these can be found in the Entra ID audit log under the operation name |
||
| Enterprise | T1207 | Rogue Domain Controller |
Leverage AD directory synchronization (DirSync) to monitor changes to directory state using AD replication cookies.[19] [20] Also consider monitoring and alerting on the replication of AD objects (Audit Detailed Directory Service Replication Events 4928 and 4929). [14] |
|
| Enterprise | T1528 | Steal Application Access Token |
Monitor M365 Audit logs for the Operations Add app role assignment grant to user and/or Consent to application occurring against AzureActiveDirectory Workloads. Analytic 1 - Unusual app role assignments or consents to applications.
|
|
| Enterprise | T1649 | Steal or Forge Authentication Certificates |
Monitor for changes to CA attributes and settings, such as AD CS certificate template modifications (ex: EID 4899/4900 once a potentially malicious certificate is enrolled).[2] |
|