Attivo Networks Blogs

How to Tell If Someone Hacked Your Active Directory

Hacker Noon Website Logo

By Carolyn Crandall, Chief Security Advocate, Attivo Networks

How much thought does the average person devote to the plumbing that delivers water to their home? How often do they consider the mechanics of the engine that powers their car, the modem that allows them to access the internet or even the coffee maker that delivers their morning jolt of caffeine? Today’s world prioritizes convenience, with technology that users expect to “just work” without much thought or effort on their part.

Unfortunately, while most people can get by just fine without knowing the ins and outs of the internal combustion engine, some technologies require a greater level of understanding. In the cybersecurity world, one such technology is Active Directory (AD). Although AD manages identities and authentication across the enterprise, too many business leaders treat it as part of the plumbing. But cybercriminals are beginning to exploit AD’s relative vulnerability in record numbers. Expecting it to “just work” is no longer enough—modern enterprises need stronger protections in place, and they must learn to recognize the signs that their AD may be compromised.

Credential-Based Attacks Are Rising

The most recent Verizon Data Breach Investigations Report (DBIR) noted that 61% of breaches now involve credential data. The primary reason is that gaining possession of credentials makes a cybercriminal’s job much easier and is required to gain the privileges they need to advance their attacks.

And all too often, targeting Active Directory is their first move. AD needs to touch nearly every part of the network to function, making it difficult to secure. An attacker who manages to compromise AD effectively has the keys to the castle and will immediately look to escalate their privileges to gain access to new areas of the network, install backdoors, erase their tracks, and seek out more valuable data. It is also the way that attacks gain control to mass distribute malware and ransomware. Stopping attackers from compromising AD needs to be a top priority for today’s defenders.

There Are Warning Signs—But They’re Hard to Spot

Unfortunately, the signs of Active Directory compromise are subtle, many of them nearly impossible to notice if defenders are not actively looking for them. Defending AD requires a more holistic approach to security—some indicators might signify an attack on AD is in progress, but there is rarely a smoking gun. Think of it as diagnosing a medical problem. There are countless symptoms to look for, but it isn’t always easy to tie them together into a diagnosis. Some are dismissed as unimportant or attributed to other factors.

What symptoms should they be on the lookout for to identify an Active Directory compromise? Among the more obvious potential signs are things that affect numerous accounts, such as mass password changes indicating alteration of many credentials. Account lockouts can also indicate an attack on AD, such as password spray attacks. Other signs, like unexpected changes to security settings, are more reliable indicators of an AD attack, but they are also more difficult to notice. There are other, even more subtle things to look for, such as an account suddenly appearing in a group without a good reason or a new service account showing up without apparent authorization or purpose. And while a hidden security identifier (SID) added to an account would be a strong indicator of an AD compromise, it would also be nearly impossible to detect.

Addressing the Problem

What, then, can defenders do to identify the signs of a compromise before it is too late? The first step is to monitor privileged groups for new users. There will always be audit trails to see when a user identity was created or added to a group. In addition to account creations and group membership changes, defenders should also monitor for password changes for privileged accounts, control changes to critical objects, use of SIDs from disabled accounts, and Access Control List (ACL) changes. These are all extremely subtle and likely to go unnoticed unless defenders are actively looking for them.

Instead of having a human being review lengthy logs and reports, defenders can set up SIEM rules to look for specific line items in an audit log then raise an alert if it finds suspicious activity. Alternatively, they can look to more modern assessment and attack detection tools. Today, tools are available that can automatically increase visibility into potential exposures and monitor for known warning signs, streamlining the process by reducing the number of things a SIEM must monitor while also reducing false positives. As modern networks become increasingly sprawling and the number of human and machine identities skyrocket, automation is fast becoming the only practical and reliable way to protect AD.

Recognizing—and Overcoming—Today’s Challenges

Active Directory compromises are challenging to detect, but automated information gathering and reporting now make early detection and prompt remediation possible. With a thorough understanding of what to look for and modern identity visibility tools at their disposal, today’s defenders are better prepared than ever to rebuff and repel attacks on Active Directory. With attackers continuing to zero in on AD as a high-value target, the ability to detect and derail them will only grow more critical.

Read the original article on HackerNoon.

Share on:

Free Active Directory Assessment

Get Visibility Into Privilege And Service Account Exposure

For a limited time, Attivo Networks is providing free Active Directory Security Assessments to demonstrate how ADAssessor provides unprecedented and continuous visibility to AD vulnerabilities.

Try Our Endpoint Detection Net (EDN) for Free


Free use offer of our Award-winning security solution to prevent attackers from lateral movement, credential theft, and privilege escalation, fast and easy.

Newsletter Signup

    Yes, please opt me in to receive your quarterly newsletter, event invitations, and product updates.

    I understand that I can opt out at any time, and can refer to Attivo Networks Privacy Policy for more information.
  • This field is for validation purposes and should be left unchanged.

ADSecure 90-Day Free Trial


  • Hide and deny access to AD objects
  • Get alerted on unauthorized queries
  • Attack details easily viewable in dashboard
  • Your data remains on-premise


Leave a Comment

Your email address will not be published.

14 − six =

Ready to find out what’s lurking in your network?

Scroll to Top