Tag

Active_directory

5 briefs RSS

Windows AD ServicePrincipalName Added To Domain Account

This Splunk analytic detects the addition of a Service Principal Name (SPN) to a domain account by monitoring Windows Event Code 5136 and changes to the servicePrincipalName attribute, potentially indicating Kerberoasting attempts leading to unauthorized access.

Splunk Enterprise +2 kerberoasting active_directory spn persistence

2r 1t 3w ago

high advisory

Windows AD DCShadow Privilege Escalation via ACL Modification

2 rules 3 TTPs

This detection identifies an Active Directory access-control list (ACL) modification event, which applies the minimum required extended rights to perform the DCShadow attack by modifying permissions on the domainDNS object.

Active Directory +3 dcshadow active_directory acl privilege_escalation persistence

2r 3t 3w ago

medium advisory

Windows AD GPO Disabled

3 rules 1 TTP

Detection of Active Directory Group Policy being disabled using the Group Policy Management Console, potentially indicating malicious attempts to weaken security controls.

Splunk Enterprise +3 active_directory group_policy persistence

3r 1t Jan 3, 2024

medium advisory

User Added to Privileged Group in Active Directory

2 rules 1 TTP

Adversaries may add a user to a privileged group in Active Directory, such as Domain Admins, to maintain persistent access and elevate privileges within the domain.

Active Directory persistence privilege_escalation active_directory

2r 1t Jan 3, 2024

low advisory

Suspicious Access to LDAP Attributes

2 rules 3 TTPs

The rule detects suspicious access to LDAP attributes in Active Directory by identifying read access to a high number of Active Directory object attributes, which can help adversaries find vulnerabilities, elevate privileges, or collect sensitive information.

Active Directory active_directory ldap discovery windows

2r 3t Jan 2, 2024