A common tactic attackers use is to enumerate information from Active Directory. One way of detecting tools such as BloodHound is to insert Honey Users into Active Directory, and to generate a SIEM alerts if these accounts are queried. An audit ACL can be configured to detect attackers enumerating these accounts.
Configure Group Policy Audit Settings
- Use Group Policy Management editor to ensure object access is audited: Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Audit Policy
- Set “Audit Object Access” to success
- Run “auditpol /get /category:*” to ensure the audit policy is correct:
Set User Audit Policy
- Open Active Directory Users and Computers (ADUC), click “View” > “Enabled Advanced Features”
- Using ADUC create an organisational unit for monitored users.
- Right click on a user > Select “Properties” > “Security” > “Advanced” > “Auditing”Click “Add” > set Object Name to “Everyone”
- Set the “List Contents” successful checkmark
Test Event Generation
Run Adfind to perform an LDAP lookup of users in the domain:
AdFind.exe -b dc=bordergate,dc=local -f "objectcategory=user" cn objectGUID
Check the event viewer on the DC. An 4662 audit event should have been generated, showing the source user performing enumeration:
This event can then be forwarded to a SIEM system to generate an alert.