Active Directory

Attackers can modify Active Directory object security descriptors to grant DCSync rights to unauthorized accounts, creating a backdoor to extract credential data.

An improper input validation vulnerability (CVE-2026-33826) in Windows Active Directory could allow an authenticated attacker on an adjacent network to execute code.

Detection of PowerShell scripts modifying the msDS-ManagedAccountPrecededByLink attribute, potentially indicating exploitation of the BadSuccessor privilege escalation vulnerability in Windows Server 2025.

Detection of a user being added to an Active Directory group by the SYSTEM account (S-1-5-18) can indicate an attacker with SYSTEM privileges attempting to pivot to a domain account.

Detection of DNS record creation by non-system accounts within Active Directory Integrated DNS (ADIDNS), which attackers can abuse to perform Dynamic Spoofing attacks, potentially targeting services like WPAD for credential access.

Attackers can create wildcard records in Active Directory Integrated DNS (ADIDNS) to redirect traffic, enabling adversary-in-the-middle attacks for credential interception or relay.

Adversaries may abuse the Active Directory Web Service (ADWS) to enumerate network resources and user accounts, by loading AD-related modules followed by a network connection to the ADWS dedicated TCP port.

Detection of Kerberos pre-authentication being disabled for a user account, potentially leading to AS-REP roasting and offline password cracking by attackers with GenericWrite or GenericAll rights over the account.

Attackers can modify the msPKIAccountCredentials attribute in Active Directory user objects to abuse credential roaming, potentially overwriting files for privilege escalation, by injecting malicious credential objects.

Detection of a user account initiating the Active Directory replication process for the first time, potentially indicating a DCSync attack for credential theft and domain compromise.

Detection of the assignment of the SeEnableDelegationPrivilege user right to a principal can indicate potential Active Directory compromise and privilege elevation by attackers.

The threat brief details the detection of NetExec (formerly CrackMapExec), a post-exploitation tool used for Active Directory penetration testing and network enumeration, often employed by threat actors for lateral movement and credential harvesting.

Detects the execution of ADExplorer, a tool used for Active Directory viewing and editing, which can be abused by adversaries for domain reconnaissance and creating offline snapshots of the AD database.

This rule identifies when a User Account starts the Active Directory Replication Process, potentially indicating a DCSync attack, which allows attackers to steal credential information compromising the entire domain.

The execution of AdFind.exe, an Active Directory query tool, is often used by threat actors for post-exploitation Active Directory reconnaissance, as observed in campaigns involving Trickbot, Ryuk, Maze, and FIN6.