AD adversaries are likely gathering information about privileged users or groups to identify potential targets for lateral movement or privilege escalation. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect early signs of reconnaissance activities that could lead to deeper network compromise.
Detection Rule
title: AD Privileged Users or Groups Reconnaissance
id: 35ba1d85-724d-42a3-889f-2e2362bcaf23
status: test
description: Detect priv users or groups recon based on 4661 eventid and known privileged users or groups SIDs
references:
- https://web.archive.org/web/20230329163438/https://blog.menasec.net/2019/02/threat-hunting-5-detecting-enumeration.html
author: Samir Bousseaden
date: 2019-04-03
modified: 2022-07-13
tags:
- attack.discovery
- attack.t1087.002
logsource:
product: windows
service: security
definition: 'Requirements: enable Object Access SAM on your Domain Controllers'
detection:
selection:
EventID: 4661
ObjectType:
- 'SAM_USER'
- 'SAM_GROUP'
selection_object:
- ObjectName|endswith:
- '-512'
- '-502'
- '-500'
- '-505'
- '-519'
- '-520'
- '-544'
- '-551'
- '-555'
- ObjectName|contains: 'admin'
filter:
SubjectUserName|endswith: '$'
condition: selection and selection_object and not filter
falsepositives:
- If source account name is not an admin then its super suspicious
level: high
imRegistry
| where ((RegistryKey endswith "-512" or RegistryKey endswith "-502" or RegistryKey endswith "-500" or RegistryKey endswith "-505" or RegistryKey endswith "-519" or RegistryKey endswith "-520" or RegistryKey endswith "-544" or RegistryKey endswith "-551" or RegistryKey endswith "-555") or RegistryKey contains "admin") and (not(ActorUsername endswith "$"))Scenario: A system administrator is using PowerShell to audit or troubleshoot Active Directory group memberships via the Get-ADGroupMember cmdlet.
Filter/Exclusion: Check for the presence of known admin tools or scripts in the command line, or filter out events where the user is a known privileged user (e.g., Domain Admins).
Scenario: A scheduled job runs nightly to sync user groups with an external directory service using DSynchronize or ADSync.
Filter/Exclusion: Exclude events that occur during scheduled maintenance windows or filter by the job name or process name.
Scenario: An IT support technician is using LDP.exe to manually review group membership for troubleshooting purposes.
Filter/Exclusion: Filter out events initiated by non-privileged users or exclude processes associated with known administrative tools like LDP.exe.
Scenario: A group policy update is being deployed using Group Policy Management Console (GPMC), which may trigger AD replication events.
Filter/Exclusion: Exclude events that occur during known policy update cycles or filter by the source computer or user account involved.
Scenario: A third-party service account is performing routine AD health checks using PowerShell or ADSI to verify group memberships.
Filter/Exclusion: Exclude events from service accounts that are explicitly allowed to perform such checks, or filter by the service account name.