Windows active directory privileged users or groups reconnaissance
Goal
Detects reconnaissance activity targeting privileged Active Directory user accounts and groups. Alerts when multiple distinct privileged objects are accessed by a single user.
Strategy
This rule monitors Windows Security Audit events, where @evt.id is 4661 for handle-to-object operations targeting Security Accounts Manager (SAM) user or group objects. The detection focuses on access attempts to well-known privileged group security identifiers (SIDs), including Domain Admins (-512), Guest (-501), Administrator (-500), Print Operators (-550), Enterprise Admins (-519), Schema Admins (-518), Domain Controllers (-516), and objects containing “admin” in their names. This pattern indicates potential reconnaissance activity where attackers enumerate privileged accounts to identify high-value targets for lateral movement or privilege escalation.
Triage and response
- Examine the specific privileged objects accessed by
{{@Event.EventData.Data.SubjectUserName}} on {{host}} to understand the scope of the reconnaissance activity. - Review the user’s legitimate business role and determine if they have authorized reasons to access multiple privileged Active Directory objects.
- Check for subsequent authentication attempts or privilege escalation activities from the same user account following this reconnaissance.
- Analyze the timing and pattern of object access to distinguish between automated tools versus manual enumeration.
- Investigate whether the user account may have been compromised by reviewing recent authentication logs and unusual activity patterns.
