Active Directory Enumeration detected by Microsoft Security solutions
This blog describes basic Active Directory enumeration via standard tooling (MS-DOS and PowerShell) and the detection via the Microsoft 365 E5 Security tools and Azure Security Center. Third party AD Recon tools like PowerSploit (PowerView) and BloodHound are out-of-scope (for now).
Pre-requisite: member server (domain joined) and domain user with local administrator permissions (log on).
C:\> net user helpdesk Passw0rd /add /domain
C:\> net localgroup administrators helpdesk /add
Enumeration is the process of extracting information from the Active Directory (e.g. users and groups). In our examples we enumerate the ‘Domain Admins’ group but this could also be the Schema- or Enterprise Admins groups.
MS-DOS NET command
C:\> Net group “Domain Admins” /domain
MS-DOS DSQUERY command
C:\> Dsquery group -name “Domain Admins” | dsget group -members ¹
PowerShell Get-ADGroupMember command
PS C:\> Get-ADGroupMember -Identity “Domain Admins” ¹
¹ Requires RSAT (Remote Server Administration Tools) installed
The PowerShell script below does not require the RSAT tools to be installed.
$DomainObj = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
$Domain = [ADSI]”LDAP://$DomainObj”
$DN = $Domain.distinguishedName
$DomainAdmins = [ADSI]”LDAP://cn=Domain Admins,cn=Users,$DN”
“Group name “ + $DomainAdmins.sAMAccountName
ForEach ($MemberDN In $DomainAdmins.Member)
$Member = [ADSI]”LDAP://$MemberDN”
“ “ + $Member.cn
Azure ATP detects anomalies (for example in the reconnaissance phase) in the Active Directory
- Account enumeration reconnaissance
- Active Directory attributes reconnaissance (LDAP)
- Network mapping reconnaissance (DNS)
- Security principal reconnaissance (LDAP)
- User and Group membership reconnaissance (SAMR) ¹
- User and IP address reconnaissance (SMB)
¹ baseline (learning) period of 4 weeks before an alert is triggered
The ‘User and Group membership reconnaissance (SAMR)’ is detected on the NET command.
Before the baseline period the following information can be found via Search.
The NET command triggered the SAMR alert in Azure ATP.
The DSQUERY and the ‘PowerShell script’ triggered the LDAP alert in Azure ATP.
Azure Security Center
Azure Security Center (ASC) is a unified infrastructure security management system for Azure resources (IaaS, PaaS & IoT) that integrates with Microsoft Defender ATP (requires the ASC Standard Tier enabled).
Azure Security Center (ASC) detected the NET command.
And the enumeration of multiple (e.g. Domain, Enterpise and Schema) groups
Multiple alerts are correlated into a Security Incident which simplifies the RCA (Root Cause Analysis) process.
Microsoft Defender ATP / Microsoft Threat Protection
Microsoft Defender ATP (MDATP) is the EDR (Endpoint Detection & Response) solution to detect anomalies on the endpoint (Windows, Mac and more to follow soon 😊). Microsoft Defender ATP detected the NET command.
Microsoft Defender ATP also correlates multiple Alerts into one Incident (linked by device for example).
Microsoft Threat Protection (MTP) is the cross-product security solution for the Modern Workplace which correlates cross-product (Microsoft 365 E5 Security) incidents for consistent RCA insights.
Microsoft Threat Protection shows the same results as Microsoft Defender ATP in our example.
Microsoft Cloud App Security
Microsoft Cloud App Security (MCAS) is the CASB (Cloud Access Security Broker) solution from Microsoft but also the Unified SecOps portal for all Identity related alerts (Azure ATP, Azure AD Identity Protection and MCAS session-based alerts).
By enabling Azure ATP integration, the portal for Identity related alerts is MCAS, the Azure ATP portal is only used for configuration.
Azure Sentinel is the cloud native SIEM (Security Information and Event Management) from Microsoft. All products described in this blog send only alert information (no raw data) to Azure Sentinel.
With the Security Events Data Connector. The required MMA (Microsoft Monitoring Agent) can be installed on Windows Server, automatically for Azure VMs and manual for on-premises Servers, optional on Windows 10 😊).
EventID 4688 — A new process has been created can be used to detect Active Directory enumeration from the MS-DOS command (enable command-line process auditing in AD), example query (Incident or Hunting)
This query will detect the MS-DOS NET and DSQUERY commands (only search “Admins” will detect all three sensitive group enumeration).
PowerShell commands are not logged by default. When Script Block Logging is enabled (Group Policy), EventID 4104 is logged in Microsoft-Windows-PowerShell/Operational.
I hope this blog gives some insights in the Microsoft Security solutions detecting basic Active Directory enumeration (reconnaissance), Azure ATP is the advised solution for Active Directory security monitoring added with a defense in-depth framework for alert correlation (RCA).