icon-itdr.svg
ITDR

Configuring the Active Directory Threat Detection Module

The Active Directory (AD) threat detection module provides visibility into credential misuse, entitlement exposures, and privilege escalation activities in an AD. This detection module enables you to monitor the AD domain and privilege accounts for malicious activities and detect the following types of attacks via the endpoint agent:

  • DCSync: An attack that allows an adversary to simulate the behavior of a domain controller and retrieve password hashes from another domain controller in the AD environment.
  • DCShadow: A kill chain attack in which an adversary registers a fake AD domain controller and uses that to inject malicious AD objects (e.g., credentials) into other domain controllers that are part of the same AD infrastructure.
  • Zerologon (CVE-2020-1472): A privilege escalation vulnerability that allows an attacker to exploit a vulnerable domain controller, change the computer account password, and perform further attacks.
  • Session Enumeration: A reconnaissance method that an adversary uses to gain domain dominance after compromising a system in an AD.
  • Kerberoast: A pervasive attack technique targeting AD service account credentials.
  • LDAP Reconnaissance: A reconnaissance technique that attackers use to discover users, groups, and computers in an AD. The attackers use LDAP queries to find targets and plan the next stage of the attack.

To configure AD threat detection module for a policy:

  1. Go to ITDR > Manage > Threat Detection.

  2. In the threat detection table, locate the threat detection policy you want to use to detect AD attacks, and click the Edit icon.

  3. In the threat detection window, click Active Directory, and enable or disable the following options as necessary:

    • Enable DCSync to detect DCSync attacks.
    • Enable DCShadow to detect DCShadow attacks.
    • Enable Zerologon to detect Zerologon attacks.
    • Enable Session Enumeration to detect Session Enumeration attacks.
    • Enable Monitor Privileged Accounts to monitor privileged accounts.
    • Enable Monitor Decoy Accounts to monitor AD decoy user accounts.
    • Enable Kerberoast Detection (Anomaly) to detect Kerberoast attacks on non-decoy service accounts.
    • Enable Kerberoast Detection (Decoy) to detect Kerberoast attacks on decoy service accounts.
    • Enable Suspicious LDAP Activity to detect LDAP reconnaissance activities.

  4. Click Save.

Before you configure an AD threat detection module, make sure that you scan an AD domain and have at least one scan report.

In some AD threat detection modules, such as monitoring privileged accounts, when a new AD object is identified in the scan, it takes about 60 minutes for the endpoint agents to monitor the accounts for any activities.

Related Articles
About Threat Detection PoliciesCreating a Threat Detection PolicyEvaluating Threat Detection PoliciesSpecifying Selection CriterionConfiguring the Active Directory Threat Detection ModuleManaging a Threat Detection Policy