The Role of Threat Hunting in Active Directory Security Operations. Threat hunting is a proactive cybersecurity process used to search through IT infrastructure to detect and isolate advanced threats before they cause harm or become significant breaches. Unlike traditional security measures that rely on automated alerts to indicate the presence of threats, it searches the hidden, or emerging threats that automated tools might not catch. Threat hunters use a combination of manual and automated techniques search through data and look for suspicious activities or anomalies within an organization’s IT environment. This process often involves analysing network traffic, logs, endpoints, and datasets to identify patterns or behaviours indicating a potential security incident.
Threat hunting is based on the premise that attackers might already be in the network, undetected by existing security defences. Therefore, it requires a deep understanding of the normal operations of the organization’s systems, so that hunters can spot deviations that suggest a compromise. In essence, threat hunting is a proactive and iterative approach to cybersecurity that aims to improve the overall security posture of an organization by detecting and mitigating threats before they escalate into full-blown incidents.
Steps for Threat Hunting in Active Directory
Understanding the Environment
Means getting a thorough knowledge of the AD structure, operations, and the normal activity patterns within it. It is about mapping out the layout of the Active Directory infrastructure, including all domain controllers, organizational units, and trust relationships. It’s important to know how these elements interact and support the business processes of the organization.
Threat hunters must identify the critical assets and sensitive data within the network, understanding where this information is stored, who has access to it, and the mechanisms protecting it. This involves monitoring user behaviours, network traffic, and system performances to create a baseline of typical operations.
Awareness of the existing security policies, procedures, and controls is essential. This includes understanding how access controls, user and group policies, and auditing settings are managed and enforced in the AD environment. Knowing the network and system configurations in detail, such as firewall settings, antivirus defences, and patch management status, helps identify when unauthorized changes or suspicious configurations occur.
Finally, having a clear picture of user profiles ( roles, access levels, and typical behavioural patterns) is key. Anomalies in these patterns often signal potential security issues.
Developing Hypotheses
Based on known attack techniques, vulnerabilities, or previous incidents, threat hunters develop hypotheses about potential security issues. In case of AD, a hypothesis might be:
- Cross-forest trust abuse. By compromising the AD forest trusted by the trusted forest, threat actor gets privileged access, for example, by misusing SID History attribute.
- Assigning of replication-related permissions to the user account. For example, account with DS-Replication-Get-Changes-All permission is used to retrieve sensitive information, such as password hashes, via MS-DRSR protocol.
- Account impersonation using Kerberos Constrained Delegation.
- Pass the Hash attacks. Threat actor who got access to a single domain-joined machine can use the machine account to perform Pass the Hash attack on the Domain Admins group, as described here.
- Abuse of Group Policy Objects. GPO can be used for various attack types, such as adding regular accounts to the local administrators group on the target machines.
- Adding backdoors to the AD-related systems. AD service may be compromised by compromising other systems involved in the authentication process, such as Microsoft Entra Connect or Active Directory Federation Services.
Collecting and Analyzing Data
Hunters gather data from various sources within the AD, such as security logs, system events, and network traffic logs. Tools like PowerShell scripts automate the collection and initial analysis, helping to identify anomalies or patterns indicative of malicious activity.
To ensure the success of this step, make sure you have the audit logging properly configured in your domain controllers. Use Default Domain Controllers Policy to configure event logging in Active Directory. Follow audit configuration, located at Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policy.
By default, each log file in Windows Server has some size limit, which may be too small for your needs, and you may face a situation where log you are looking for was already rewritten. To avoid this, please increase the log size. Use Limit-EventLog cmdlet for this purpose (more details are here).
Limit-Eventlog -Logname Security -MaximumSize 2Gb -OverflowAction OverwriteOlder
Besides the logs, analyse antivirus logs, issues registered by users in the IT Service Management tool, newly created objects in AD, etc.
Try our Active Directory & Office 365 Reporting & Auditing Tools
Try us out for Free. 100’s of report templates available. Easily customise your own reports on AD, Azure AD & Office 355.
Identifying Anomalies
Identifying anomalies in the context of threat hunting in Active Directory involves spotting activities or behaviors that deviate from what is considered normal or expected within the environment. This step is important for uncovering potential security threats or malicious activities. To effectively identify anomalies, threat hunters analyze a wide range of data, including security logs, system logs, and event logs from Active Directory and other network systems. They look for unusual events such as atypical login attempts, unauthorized access to sensitive data, or unexpected changes in system configurations and permissions.
Monitoring user behavior is also a key aspect of this process. This includes tracking when and how users log in, what resources they access, and any unusual patterns of activity that could indicate compromised credentials or insider threats. Changes in system and network configurations are closely scrutinized to detect unauthorized modifications that could weaken security controls or facilitate unauthorized access.
Advanced detection tools and technologies, often employing behavioral analysis and machine learning, are used to automate and enhance the detection of anomalies. These tools help sift through the massive volumes of data generated in a typical network environment to highlight potentially suspicious activities.
Threat hunters also leverage threat intelligence feeds to compare observed activities against known patterns of malicious behavior, helping to quickly identify indicators of compromise. Furthermore, correlating information from various sources and systems can provide a more comprehensive view of potential security incidents, enabling a more accurate assessment of whether an identified anomaly represents a real threat. Documenting the anomalies is an essential part of the process, providing valuable information for further investigation and helping to refine future threat hunting efforts.
For example, the anomaly could be the increased logon time, which could identify that some GPO uses logon script that perform some action, such as malware installation.
To support this hypothesis, you need to look for certain events. In this example, the hypotheses is the abuse of Group Policy Objects, you should parse the security logs for Event ID 5136 A directory service object was modified and 5137 A directory service object was created.
Investigation and Confirmation
This step involves a detailed examination of the anomalies identified in the previous stages to determine whether they are indeed indicators of a security threat. Here the threat hunters delve deeper into the suspicious activities or patterns they have uncovered, using various tools and techniques to gather more information and context.
The investigation starts with analysing specific details of each anomaly, such as the time it occurred, the users involved, the systems affected, and the nature of the suspicious activity. This might include examining user account properties, login histories, and changes in permissions or access rights. The goal is to understand the sequence of events and how it deviates from normal behaviour.
Threat hunters review detailed log files, conduct forensic analysis on affected systems, and utilize specialized security tools that provide deeper insights into network and system activities.
As part of the investigation, the threat hunter must differentiate between false positives (benign activities that initially appear suspicious) and true security incidents.
Once sufficient evidence is gathered, the threat hunter confirms whether the anomaly is indeed a security incident. If confirmed, the next steps involve detailing the nature of the threat, the potential impact on the organization, and the urgency of the response required. The findings are then documented comprehensively, including the investigative steps taken, evidence collected, and the rationale for the conclusions drawn.
In our example, investigation is performed by exporting the list of GPOs and finding the one with the issue. To export all GPO that contain scripts, use PowerShell:
Get-GPO -all | % { if ((Get-GPOReport -GUID $_.id -ReportType HTML) -like "*>Scripts<*")`
{Get-GPOReport -GUID $_.id -ReportType HTML -Path C:\ThreatHunting”\$($_.displayName).html"}}
This command exports all GPOs with scripts to the folder C:\ThreatHunting in HTML format. Next review all exported file and find the policy that enforces execution of the malicious script.
After finding the malicious GPO identify the script file location and find out what does it do. Also identify the scope of affected users and computers, which GPO was applied to.
Remediation and Strengthening
If a threat is confirmed, actions are taken to isolate and neutralize the threat. Afterward, the focus shifts to strengthening defences, which may include tightening access controls, updating policies, or patching vulnerabilities to prevent similar attacks in the future.
In our example perform the following remediation actions:
- Disable the GPO by using the right click and unchecking the Enable Link
- Remove the script and rollback all the changes it did (e.g., if the script was used to alter the Windows registry – change the affected keys to the original values)
- Remove the script from the network location used by GPO
- Document all the findings
For strengthening purposes, following to be done:
- Find out how threat actor managed to create/edit the GPO (compromised privileged account, abuse of the delegation, etc.).
- Perform preventive action to avoid reoccurring the incident.
After the completion of the investigation, the GPO can be removed.
I hope The Role of Threat Hunting in Active Directory Security Operations is useful in your knowledge gathering. Let’s conclude.
The Role of Threat Hunting in Active Directory Security Operations Conclusion
In conclusion, through proactive engagement, threat hunting allows organizations to detect, isolate, and mitigate advanced threats that might otherwise evade traditional security mechanisms. The process extends beyond mere detection, encompassing a deep analysis of the network’s operational behaviors to pinpoint deviations indicative of potential compromises. By integrating threat hunting into AD incident response strategies, organizations enhance their defensive posture, mitigate risks more effectively, and ensure the resilience of their critical identity and access management infrastructures against sophisticated cyber threats. This strategic approach not only safeguards Active Directory itself, but also fortifies the organization’s overall security framework, protecting the whole IT infrastructure.
Try InfraSOS for FREE
Try InfraSOS Active Directory, Azure AD & Office 365 Reporting & Auditing Tool
- Free 15-Days Trial
- SaaS AD Reporting & Auditing Solution
