Fundamentals
T1484, T1207, T1558, T1003Active Directory Basics
How Active Directory structures domains, forests, OUs, users, groups, and trust relationships --- the foundational knowledge every SOC analyst needs to investigate Windows intrusions.
View on Graph
What Active Directory Is and Why It Is the Prime Target
- Active Directory (AD) is Microsoft’s directory service for Windows domain networks.
- It stores information about every object in the domain — users, computers, groups, printers, shared folders, and services — and enforces security policies across all domain-joined systems.
- AD was introduced in Windows 2000 Server and is the identity backbone of over 90% of Fortune 500 organizations.
- For an attacker, AD is the ultimate prize: compromise the domain controller, and you own everything.
Core AD Components Every Analyst Must Know
Domains and Forests
- A domain is the core administrative unit. It defines a security boundary: domain administrators in one domain do not automatically have authority over another domain.
- A forest is a collection of domains that share a common schema, global catalog, and transitive trust between every domain in the forest.
- The forest root domain is the first domain created and holds the Enterprise Admins and Schema Admins groups — the highest privilege groups in AD.
- In a multi-domain forest, attackers who compromise the forest root can compromise every domain.
Detection implications: When you see authentication traffic crossing domain boundaries or between forests (Event ID 4624 with a security ID from another domain), check whether it is authorized cross-forest trust traffic or lateral movement. BloodHound shows trust path analysis — expect attackers to abuse it.
Organizational Units (OUs)
- OUs are containers within a domain used to organize objects (users, computers, groups) and delegate administrative control.
- OUs are not a security boundary — they are an administrative boundary. Group Policy applies per OU; delegated permissions apply per OU.
- Attackers target OUs containing high-value objects: servers, service accounts, executives.
Detection implications: Event ID 5136 (directory service change) on an OU delegate permission change is a high-signal event. An attacker adding themselves to the “Server Operators” OU delegation is privilege escalation (MITRE T1098).
Trust Relationships
- Trusts allow users in one domain to authenticate to resources in another domain.
- Trust types: Parent-child (automatic, transitive), Forest (manual, transitive), External (manual, non-transitive, one-way or two-way), Realm (with non-Windows Kerberos realms).
- A trust is one-way by default: Domain A trusts Domain B means Domain B’s users can access Domain A’s resources, but not vice versa.
- Attackers enumerate trusts to find cross-domain or cross-forest lateral movement paths. Tools like BloodHound map every trust and every path between them.
Detection implications: Event ID 4624 with a logon type 3 (network) from a user in a different domain or forest is normal only if there is a legitimate cross-domain resource access. A user from corp.local authenticating to admin.corp.local’s domain controller is lateral movement.
Security Principals and Group Types
-
A security principal is any entity that can be authenticated: user, computer, group, or service account.
-
Group scopes:
- Domain Local — grants access to resources within the local domain. Can contain members from any domain in the forest.
- Global — groups users with similar roles. Can be placed into Domain Local groups in any domain in the forest.
- Universal — members from any domain in the forest. Used for cross-domain permissions.
-
Built-in sensitive groups (the ones attackers target):
| Group | Privilege | Event ID to Monitor |
|---|---|---|
| Domain Admins | Full control over the domain | 4728 (member added to security-enabled global group) |
| Enterprise Admins | Full control over the forest (forest root only) | 4728 — rare, immediate escalation |
| Administrators | Local admin on domain controllers | 4732 (member added to security-enabled local group) |
| Account Operators | Can create/modify most user accounts | 4720 (user created), 4738 (user modified) |
| Server Operators | Can log on interactively to DCs | 4624 with Logon Type 2 or 10 |
| Backup Operators | Can bypass file permissions for backup | 4624 + SeBackupPrivilege usage |
Kerberos Authentication Flow
- User logs in → workstation sends an AS-REQ to the Domain Controller (DC)
- DC checks the password and responds with a TGT (Ticket Granting Ticket) encrypted with the user’s password hash
- User wants to access a resource (e.g., a file server) → workstation sends a TGS-REQ to the DC with the TGT
- DC validates the TGT and sends a TGS (Ticket Granting Service) ticket encrypted with the target service account’s NTLM hash
- Workstation presents the TGS to the file server → server decrypts it with its own NTLM hash and grants access
Detection implications: Step 4 is the foundation of Kerberoasting (T1558.003) — any domain user can request a TGS for any service account. Event IDs 4768 (TGT requested) and 4769 (TGS requested) are volume-high but need filtering: a single user requesting TGS tickets for many different SPNs in a short window is suspicious.
Detection — Investigating AD Compromise
Key Event IDs to Monitor
| Event ID | Description | What to Look For |
|---|---|---|
| 4624 | Successful logon | Logon type 3 from unusual source, logon with explicit credentials (type 9) |
| 4625 | Failed logon | Sub Status 0xC0000064 (user does not exist) across many usernames |
| 4634 | Logoff | Correlate with 4624 for session duration |
| 4648 | Logon with explicit credentials | Unusual for service accounts to log on with explicit credentials |
| 4672 | Admin logon (special privileges assigned) | New accounts receiving admin privileges |
| 4688 | Process creation | Command-line args revealing cred theft tools |
| 4719 | Audit policy change | Attacker modifying logging to cover tracks |
| 4720 | User account created | Suspicious account names created outside normal processes |
| 4728 | Member added to security-enabled global group | User added to Domain Admins — immediate escalation |
| 4732 | Member added to security-enabled local group | User added to local Administrators group |
| 4740 | Account locked out | Could be password spray or credential stuffing |
| 4743 | Computer account deleted | Attacker removing evidence of compromised machine |
| 4768 | Kerberos TGT requested | AS-REQ from unusual source IP |
| 4769 | Kerberos TGS requested | Multiple TGS requests for different SPNs (Kerberoasting) |
| 4776 | NTLM authentication | NTLMv1 usage (should be blocked) |
| 5136 | Directory service object modified | Permission delegation changes, ACL modifications on sensitive objects |
SPL query — detect group membership change to sensitive groups:
index=windows sourcetype=WinEventLog:Security
(EventCode=4728 OR EventCode=4732 OR EventCode=4746 OR EventCode=4756)
| search TargetUserName="Domain Admins" OR TargetUserName="Enterprise Admins" OR TargetUserName="Administrators"
| stats values(SubjectUserName) as ChangedBy, values(TargetUserName) as TargetGroup by _time, MemberName
| eval alert = if(match(MemberName, "(?i)(temp|test|backup|admin[0-9])"), "CRITICAL — Suspicious member added to privileged group", "HIGH — Member added to privileged group")
| table _time, ChangedBy, MemberName, TargetGroup, alertSPL query — detect Kerberoasting (many TGS requests from one source):
index=windows sourcetype=WinEventLog:Security EventCode=4769
| stats dc(TargetUserName) as UniqueServiceAccounts by ClientAddress, AccountName
| where UniqueServiceAccounts > 10
| eval alert = "HIGH — Possible Kerberoasting: " . AccountName . " requested " . UniqueServiceAccounts . " TGS tickets from " . ClientAddressCommon AD Attack Vectors and Detection
| Attack | MITRE ID | How It Works | Detection |
|---|---|---|---|
| Kerberoasting | T1558.003 | Request TGS tickets for service accounts, crack offline | Multiple 4769 events from one source, different SPNs |
| AS-REP Roasting | T1558.004 | Request AS-REP for users without pre-authentication | Event 4768 without pre-auth flag (rare event — high signal) |
| Golden Ticket | T1558.001 | Forge TGT using KRBTGT hash | EventID 4768 with anomalous ticket lifetime > 24h |
| Silver Ticket | T1558.002 | Forge TGS using service account hash | Anomalous 4624 logon from service account without corresponding TGS request |
| DCSync | T1003.006 | Replicate domain controller data from DC (all password hashes) | Event 4662 (operation on DS object) with DS-Replication-Get-Changes extended right |
| BloodHound Enumeration | T1069.002 | Enumerate AD topology, trusts, group memberships | LDAP queries with baseDN scanning across OUs — high volume of 4662 events |
| Skeleton Key | T1554.002 | Inject backdoor password into LSASS on DC | Anomalous logins with previously unknown password hashes (hard — look for Mimikatz driver load) |
| NTLM Relay | T1557.001 | Relay captured NTLM authentication to another server | NTLM authentication (4776) from unexpected sources — especially to sensitive servers |
Related
- Common Ports and Protocols — covers the common ports and protocols concepts
- Log Sources Overview — covers the log sources overview concepts
- Active Directory Compromise Response — detection and response for T1558 techniques
- Cloud Threats — Credential Theft, IMDS Abuse, Hijacking, Privilege Escalation — detection and response for T1525, T1552, T1613 techniques
- Golden Ticket Attack — detection and response for T1558.001 techniques