Windows active directory privileged users or groups reconnaissance
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、
お気軽にご連絡ください。
Goal
Detects reconnaissance activity targeting privileged Active Directory user accounts and groups. Alerts when multiple distinct privileged objects are accessed by a single user.
Strategy
This rule monitors Windows Security Audit events, where @evt.id is 4661 for handle-to-object operations targeting Security Accounts Manager (SAM) user or group objects. The detection focuses on access attempts to well-known privileged group security identifiers (SIDs), including Domain Admins (-512), Guest (-501), Administrator (-500), Print Operators (-550), Enterprise Admins (-519), Schema Admins (-518), Domain Controllers (-516), and objects containing “admin” in their names. This pattern indicates potential reconnaissance activity where attackers enumerate privileged accounts to identify high-value targets for lateral movement or privilege escalation.
Triage and response
- Examine the specific privileged objects accessed by
{{@Event.EventData.Data.SubjectUserName}} on {{host}} to understand the scope of the reconnaissance activity. - Review the user’s legitimate business role and determine if they have authorized reasons to access multiple privileged Active Directory objects.
- Check for subsequent authentication attempts or privilege escalation activities from the same user account following this reconnaissance.
- Analyze the timing and pattern of object access to distinguish between automated tools versus manual enumeration.
- Investigate whether the user account may have been compromised by reviewing recent authentication logs and unusual activity patterns.
