Windows active directory privileged users or groups reconnaissance
Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel,
n'hésitez pas à nous contacter.
Goal
Detects reconnaissance activity targeting privileged Active Directory user accounts and groups. Alerts when multiple distinct privileged objects are accessed by a single user.
Strategy
This rule monitors Windows Security Audit events, where @evt.id is 4661 for handle-to-object operations targeting Security Accounts Manager (SAM) user or group objects. The detection focuses on access attempts to well-known privileged group security identifiers (SIDs), including Domain Admins (-512), Guest (-501), Administrator (-500), Print Operators (-550), Enterprise Admins (-519), Schema Admins (-518), Domain Controllers (-516), and objects containing “admin” in their names. This pattern indicates potential reconnaissance activity where attackers enumerate privileged accounts to identify high-value targets for lateral movement or privilege escalation.
Triage and response
- Examine the specific privileged objects accessed by
{{@Event.EventData.Data.SubjectUserName}} on {{host}} to understand the scope of the reconnaissance activity. - Review the user’s legitimate business role and determine if they have authorized reasons to access multiple privileged Active Directory objects.
- Check for subsequent authentication attempts or privilege escalation activities from the same user account following this reconnaissance.
- Analyze the timing and pattern of object access to distinguish between automated tools versus manual enumeration.
- Investigate whether the user account may have been compromised by reviewing recent authentication logs and unusual activity patterns.
