In today’s cybersecurity landscape, Active Directory (AD) remains a prime target for attackers. Detection engineering is crucial for identifying and mitigating potential threats. In this blog, we'll explore various detection strategies and share Kusto Query Language (KQL) queries to enhance your Active Directory security.
Why Does Detection Engineering Matters?
Active Directory is the backbone of many enterprise networks, providing authentication and authorization services. A compromised AD can lead to devastating consequences, including unauthorized access, data breaches, and disruption of services. Effective detection engineering enables security teams to identify suspicious activities and respond promptly to potential threats.
Key Detection Strategies Using KQL:
1. Monitor for Suspicious Logins Unusual login patterns, such as logins at odd hours or from unexpected locations, can be a red flag for potential attacks.
SecurityEvent
| where EventID == 4624
| where AccountType == "User"
| where TimeGenerated > ago(30d)
| summarize LoginCount = count() by UserPrincipalName
| where LoginCount > 10
| project UserPrincipalName, LoginCount
2. Track Group Membership Changes Unauthorized changes to group memberships, especially for privileged groups, can indicate an attempt to escalate privileges.
SecurityEvent
| where EventID == 4738
| where AccountType == "User"
| project TimeGenerated, TargetAccount, SubjectAccount, UserAccountControl
| where UserAccountControl has_any ("2096", "2064")
| extend Action = case(UserAccountControl has "2096", strcat("Kerberos preauthentication disabled"), UserAccountControl has "2064", strcat("Kerberos preauthentication enabled"), "unknown")
| project TimeGenerated, Actor=SubjectAccount, User=TargetAccount, Action3. Audit Privileged Account Activity Monitoring the actions of privileged accounts helps identify any unusual or unauthorized activities.
SecurityEvent
| where EventID in (4624, 4625)
| where AccountType == "User"
| where UserPrincipalName in ("domainadmin", "sysadmin")
| summarize ActivityCount = count() by UserPrincipalName
| project UserPrincipalName, ActivityCount4. Detecting Password Changes Alerting on password changes can help detect potential account compromises.
SecurityEvent
| where EventID == 4723
| where AccountType == "User"
| project TimeGenerated, TargetAccount, SubjectAccount, UserAccountControl
| where UserAccountControl has_any ("2094", "2062")
| extend Activity = case(UserAccountControl contains "2094", strcat("Account Sensitivity Enabled"), UserAccountControl contains "2062", strcat("Account Sensitivity Disabled"), "Unknown")
| project TimeGenerated, Target=TargetAccount, Actor=SubjectAccount, Activity5. Monitor and detect various user account activities in Active Directory, including new user creations, account updates, password changes, and group membership changes.
SecurityEvent
| where EventID in (4720, 4738, 4722, 4725, 4723, 4724, 4728, 4732, 4733)
| project
TimeGenerated,
AccountName = TargetUserName,
Action = case(
EventID == 4720, "New User Created",
EventID == 4738, "User Account Updated",
EventID == 4722, "Account Enabled",
EventID == 4725, "Account Disabled",
EventID == 4723, "Password Change Attempted",
EventID == 4724, "Password Reset",
EventID == 4728, "Added to Group",
EventID == 4732, "Added to Security-Enabled Group",
EventID == 4733, "Removed from Security-Enabled Group"
),
ChangedBy = SubjectUserName,
AdditionalDetails = UserAccountControl
Conclusion:
Detection engineering is a vital component of a robust cybersecurity strategy. By implementing these detection strategies and utilizing the provided KQL queries, you can enhance your Active Directory security and stay ahead of potential threats. Stay vigilant, stay secure!
Be Safe and Happy Hunting !!
