FalconFriday — Detecting Active Directory Data Collection — 0xFF21

Post-Image

FalconFriday — Detecting Active Directory Data Collection — 0xFF21

When attackers gain access to a large corporate environment, one of the things they tend to do is extract large quantities of data from Active Directory. The extracted data can be analyzed using tools to find complex paths that allow privilege escalation and lateral movement.

Popular tools to collect data from Active Directory are:

SharpHound, which is provided as part of BloodHound and is intended to effectively collect large quantities of data from an Active Directory environment.
AD Explorer, provided by Microsoft as part of the Sysinternals suite, which can be used to interactively browse an Active Directory, as well as generate a complete snapshot of the Active Directory in a file. This snapshot file can be loaded into BloodHound using the awesome ADExplorerSnapshot.py tool by Cedric van Bockhaven.

In this article we will discuss three different methods that can be used to detect data collection from Active Directory:

1 Client-side LDAP query logging via Microsoft Defender for Endpoint.

2 Domain controller LDAP query logging via Microsoft Defender for Identity.

3 Domain controller object access logging via SACLs and audit policies.

Cross post from medium.com, please read the full article here:

https://medium.com/falconforce/falconfriday-detecting-active-directory-data-collection-0xff21-c22d1a57494c

Direct link to our Github page:

https://github.com/FalconForceTeam/FalconFriday