Identity & Access Management (IAM) Cheat Sheet¶
How to use this sheet
Quick-reference for AD attack paths, detection queries, identity defenses, and cloud IAM hardening. Use Ctrl+F to jump to a topic. KQL targets Microsoft Sentinel; SPL targets Splunk Enterprise Security. All examples are synthetic — IPs use RFC 5737/1918 ranges.
1. Active Directory Attack Paths¶
1.1 Kerberoasting (T1558.003)¶
Risk: High
Attackers enumerate Service Principal Names (SPNs) in Active Directory, request TGS tickets for those services, then crack the tickets offline to recover service account passwords. No special privileges required — any domain user can request TGS tickets.
Attack Flow
Domain User → LDAP Query (SPN Enumeration) → TGS-REQ (RC4 cipher) → Extract Ticket → Offline Crack (hashcat/john)
Tool Concepts
| Stage | Technique | Relevant Tool Category |
|---|---|---|
| Enumeration | LDAP query for servicePrincipalName attribute | AD query utilities, PowerShell AD module |
| Ticket Request | TGS-REQ with RC4 (0x17) encryption | Kerberos clients, Impacket-style tooling |
| Extraction | Export ticket from memory or wire capture | Credential extraction frameworks |
| Cracking | Hashcat mode 13100, John kerberoast format | Offline password crackers |
Detection
// Kerberoasting — Multiple TGS requests with RC4 encryption in short window
SecurityEvent
| where EventID == 4769
| where TicketEncryptionType == "0x17" // RC4
| where ServiceName !endswith "$" // Exclude machine accounts
| summarize DistinctSPNs = dcount(ServiceName),
SPNList = make_set(ServiceName, 10),
RequestCount = count()
by TargetUserName, IpAddress, bin(TimeGenerated, 5m)
| where DistinctSPNs >= 3
| project TimeGenerated, TargetUserName, IpAddress, DistinctSPNs, SPNList, RequestCount
| sort by DistinctSPNs desc
Defenses
| Control | Implementation |
|---|---|
| Use AES-only SPNs | Set msDS-SupportedEncryptionTypes to 0x18 (AES128+AES256) on service accounts |
| Long random passwords | 30+ character random passwords on all SPN-bearing accounts |
| Group Managed Service Accounts | Replace standalone service accounts with gMSAs (auto-rotated 120-char passwords) |
| Monitor RC4 TGS requests | Alert on EventID 4769 where encryption type = 0x17 for non-machine accounts |
| Honeypot SPNs | Create decoy SPN accounts with alerts on any TGS request |
1.2 AS-REP Roasting (T1558.004)¶
Risk: High
Targets accounts with Kerberos pre-authentication disabled (DONT_REQUIRE_PREAUTH flag). Attacker requests an AS-REP for these accounts without authenticating, then cracks the encrypted portion offline.
Attack Flow
LDAP Enumeration (UF_DONT_REQUIRE_PREAUTH) → AS-REQ (no preauth) → AS-REP with enc-part → Offline Crack
Detection
// AS-REP Roasting — Kerberos authentication with RC4 and pre-auth not required
SecurityEvent
| where EventID == 4768
| where TicketEncryptionType == "0x17"
| where PreAuthType == "0" // No pre-authentication
| summarize TargetAccounts = dcount(TargetUserName),
AccountList = make_set(TargetUserName, 10),
RequestCount = count()
by IpAddress, bin(TimeGenerated, 10m)
| where TargetAccounts >= 2
| sort by TargetAccounts desc
Defenses
| Control | Implementation |
|---|---|
| Enable pre-authentication | Audit & remove DONT_REQUIRE_PREAUTH on all accounts |
| LDAP filter monitoring | Alert on LDAP queries for userAccountControl:1.2.840.113556.1.4.803:=4194304 |
| Strong passwords | Enforce 20+ character passwords on any account that must have preauth disabled |
| Regular audits | Script: Get-ADUser -Filter {DoesNotRequirePreAuth -eq $true} |
1.3 Pass-the-Hash / Pass-the-Ticket (T1550.002 / T1550.003)¶
Risk: Critical
Pass-the-Hash (PtH): Attacker captures an NTLM hash and uses it to authenticate without knowing the plaintext password. Pass-the-Ticket (PtT): Attacker exports a Kerberos TGT/TGS from memory and injects it into another session to impersonate the ticket owner.
Attack Flow
PtH: Credential Dump (LSASS) → NTLM Hash → Authenticate via SMB/WMI/PSRemoting
PtT: Credential Dump (LSASS) → Export TGT/TGS → Inject Ticket → Access Target Service
Detection
// Pass-the-Hash — Network logon (Type 3) using NTLM where account is not machine
SecurityEvent
| where EventID == 4624
| where LogonType == 3
| where AuthenticationPackageName == "NTLM"
| where LmPackageName == "NTLM V1" // NTLMv1 is especially suspicious
| where TargetUserName !endswith "$"
| project TimeGenerated, TargetUserName, WorkstationName,
IpAddress, LmPackageName, LogonProcessName
| sort by TimeGenerated desc
// Pass-the-Ticket — Logon with explicit credentials (4648) followed by 4624 Type 3
SecurityEvent
| where EventID in (4648, 4624)
| where LogonType == 3 or EventID == 4648
| summarize EventTypes = make_set(EventID),
count() by TargetUserName, IpAddress, bin(TimeGenerated, 2m)
| where set_has_element(EventTypes, 4648) and set_has_element(EventTypes, 4624)
index=wineventlog EventCode=4624 Logon_Type=3
Authentication_Package=NTLM LmPackageName="NTLM V1"
Account_Name!="*$"
| table _time, Account_Name, Workstation_Name,
Source_Network_Address, LmPackageName
| sort - _time
| Explicit credentials followed by Type 3 logon
index=wineventlog (EventCode=4648 OR (EventCode=4624 Logon_Type=3))
| bin _time span=2m
| stats values(EventCode) as event_types, count
by Account_Name, Source_Network_Address, _time
| where mvfind(event_types,"4648") >= 0 AND mvfind(event_types,"4624") >= 0
Defenses
| Control | Implementation |
|---|---|
| Credential Guard | Enable Windows Credential Guard on all endpoints (UEFI lock) |
| Disable NTLMv1 | Group Policy: Network security: LAN Manager authentication level → Send NTLMv2 only |
| Protected Users group | Add privileged accounts to the Protected Users security group |
| Restrict NTLM | Network security: Restrict NTLM: NTLM authentication in this domain → Deny all |
| RDP Restricted Admin | Prevent credential caching on remote hosts |
1.4 DCSync (T1003.006)¶
Risk: Critical
Attacker with Replicating Directory Changes / Replicating Directory Changes All rights impersonates a domain controller and requests password data via the MS-DRSR protocol. Dumps all domain hashes without touching NTDS.dit on disk.
Attack Flow
Compromised Account (with replication rights) → DRS GetNCChanges → Domain Controller responds with credential data
Detection
// DCSync — Directory replication from non-DC source
SecurityEvent
| where EventID == 4662
| where OperationType == "Object Access"
| where Properties has_any (
"1131f6aa-9c07-11d1-f79f-00c04fc2dcd2", // DS-Replication-Get-Changes
"1131f6ad-9c07-11d1-f79f-00c04fc2dcd2", // DS-Replication-Get-Changes-All
"89e95b76-444d-4c62-991a-0facbeda640c" // DS-Replication-Get-Changes-In-Filtered-Set
)
| where SubjectUserName !endswith "$" // Exclude machine accounts (DCs)
| project TimeGenerated, SubjectUserName, SubjectDomainName,
ObjectName, Properties, IpAddress
Defenses
| Control | Implementation |
|---|---|
| Audit replication rights | Regularly enumerate who holds DS-Replication-Get-Changes-All |
| Minimize replication ACLs | Only domain controllers should have replication rights |
| Monitor 4662 events | Alert on any non-DC requesting replication GUIDs |
| Network segmentation | Restrict RPC traffic (TCP 135 + dynamic ports) to DC-to-DC only |
| AdminSDHolder auditing | Monitor changes to AdminSDHolder container for ACL backdoors |
1.5 Golden Ticket / Silver Ticket (T1558.001 / T1558.002)¶
Risk: Critical
Golden Ticket: Attacker compromises the krbtgt account hash and forges TGTs with arbitrary group memberships and lifetimes (up to 10 years). Silver Ticket: Attacker compromises a service account hash and forges TGS tickets for that specific service, bypassing the KDC entirely.
Attack Flow
Golden: krbtgt hash → Forge TGT (any user, any group, any lifetime) → Use TGT for any service
Silver: Service acct hash → Forge TGS (specific service) → Access without KDC interaction
Detection
// Golden Ticket — TGT with abnormal lifetime or issued outside KDC
SecurityEvent
| where EventID == 4769
| extend TicketLifetime = datetime_diff('hour', TicketExpiry, TimeGenerated)
| where TicketLifetime > 10 // Default max is 10 hours
| project TimeGenerated, TargetUserName, ServiceName, IpAddress,
TicketLifetime, TicketEncryptionType
// Golden Ticket — Account domain mismatch or SID history anomaly
SecurityEvent
| where EventID == 4624
| where LogonType == 3
| where TargetDomainName != "YOURDOM" // Unexpected domain in ticket
| where TargetUserSid startswith "S-1-5-21-"
| project TimeGenerated, TargetUserName, TargetDomainName,
TargetUserSid, IpAddress
index=wineventlog EventCode=4769
| eval ticket_life_hours = (Ticket_Expiry_Time - _time) / 3600
| where ticket_life_hours > 10
| table _time, Account_Name, Service_Name, Client_Address,
ticket_life_hours, Ticket_Encryption_Type
| Silver Ticket — Service ticket issued without corresponding TGT request
index=wineventlog EventCode=4769
| join type=left Account_Name Client_Address
[search index=wineventlog EventCode=4768
| rename Account_Name as Account_Name, Client_Address as Client_Address]
| where isnull(EventCode)
| table _time, Account_Name, Service_Name, Client_Address
Defenses
| Control | Implementation |
|---|---|
| Rotate krbtgt password | Reset krbtgt twice (allowing replication between resets) every 180 days |
| Monitor TGT lifetimes | Alert on tickets exceeding MaxTicketAge (default 10 hours) |
| Enable PAC validation | Ensure KDC validates PAC signatures on TGS requests |
| Detect SID history abuse | Alert on accounts with SID history containing admin SIDs |
| Privileged credential isolation | Tier 0 credentials never exposed outside Tier 0 hosts |
1.6 ACL Attacks (T1222.001)¶
Risk: High
Attackers abuse misconfigured ACLs on AD objects to escalate privileges. Common dangerous rights include WriteDACL, GenericAll, GenericWrite, WriteOwner, ForceChangePassword, and AddMember.
Dangerous ACL Rights
| ACL Right | Abuse Scenario | Impact |
|---|---|---|
| GenericAll | Full control over target object — reset password, modify group membership, write SPN | Direct privilege escalation |
| WriteDACL | Modify permissions on object — grant self GenericAll | Indirect privilege escalation |
| WriteOwner | Take ownership → then modify DACL → then grant self any right | Two-hop escalation |
| ForceChangePassword | Reset target user's password without knowing current password | Account takeover |
| AddMember | Add attacker-controlled account to a privileged group | Group-based escalation |
| GenericWrite | Write arbitrary attributes — set SPN (Kerberoast), modify logon script | Credential theft, code execution |
Detection
// ACL Modification — DACL changes on sensitive AD objects
SecurityEvent
| where EventID == 5136
| where AttributeLDAPDisplayName == "nTSecurityDescriptor"
| where ObjectClass in ("user", "group", "computer", "domainDNS")
| project TimeGenerated, SubjectUserName, ObjectDN,
AttributeLDAPDisplayName, AttributeValue,
OperationType
| sort by TimeGenerated desc
// ACL Abuse — Privileged group membership changes
SecurityEvent
| where EventID in (4728, 4732, 4756) // Member added to global/local/universal group
| where TargetUserName in ("Domain Admins", "Enterprise Admins",
"Schema Admins", "Administrators",
"Account Operators", "Backup Operators")
| project TimeGenerated, SubjectUserName, MemberName,
TargetUserName, EventID
Defenses
| Control | Implementation |
|---|---|
| AdminSDHolder monitoring | Alert on modifications to AdminSDHolder ACL |
| Privileged group protection | Enable Protected Users group, audit group membership changes |
| Least-privilege delegation | Replace GenericAll with specific delegated permissions |
| Regular ACL audits | Enumerate non-default ACEs on Tier 0 objects quarterly |
| SACL on sensitive objects | Enable auditing on DA, EA, and Schema Admins groups |
1.7 BloodHound Attack Paths (Shortest Path to DA)¶
Synthetic 3-Hop Path to Domain Admin
This is a realistic but entirely synthetic example demonstrating how graph-based path analysis uncovers chained attack sequences invisible to single-event detections.
Attack Path: help-desk-user → FILE-SERVER-01 → SVC-BACKUP → Domain Admins
┌──────────────────┐ AdminTo ┌──────────────────┐
│ help-desk-user │───────────────▶│ FILE-SERVER-01 │
│ (Domain User) │ Has local │ (Member Server) │
│ 10.0.1.50 │ admin via GPO │ 10.0.1.120 │
└──────────────────┘ └────────┬─────────┘
│
HasSession (SVC-BACKUP
logged in via service)
│
▼
┌──────────────────┐
│ SVC-BACKUP │
│ (Service Acct) │
│ SPN: backup/fs │
└────────┬─────────┘
│
GenericAll on
"Domain Admins" group
│
▼
┌──────────────────┐
│ Domain Admins │
│ (Tier 0 Group) │
└──────────────────┘
Path Exploitation Steps
| Hop | Source | Relationship | Target | Technique |
|---|---|---|---|---|
| 1 | help-desk-user | AdminTo | FILE-SERVER-01 | Local admin rights via misconfigured GPO |
| 2 | FILE-SERVER-01 | HasSession | SVC-BACKUP | Extract credentials from LSASS (service running on host) |
| 3 | SVC-BACKUP | GenericAll | Domain Admins | Add controlled account to Domain Admins group |
Detection for Each Hop
// Hop 1 — Local admin logon to server from help-desk tier
SecurityEvent
| where EventID == 4624 and LogonType == 3
| where TargetUserName in ("help-desk-user")
| where Computer == "FILE-SERVER-01.yourdom.local"
// Hop 2 — LSASS access on FILE-SERVER-01
DeviceEvents
| where ActionType == "LsassProcessAccess"
| where DeviceName == "FILE-SERVER-01"
// Hop 3 — Member added to Domain Admins
SecurityEvent
| where EventID == 4728
| where TargetUserName == "Domain Admins"
| Hop 1: Lateral movement to file server
index=wineventlog EventCode=4624 Logon_Type=3
Account_Name="help-desk-user"
ComputerName="FILE-SERVER-01"
| Hop 2: LSASS access (requires Sysmon EID 10)
index=sysmon EventCode=10
TargetImage="*\\lsass.exe"
ComputerName="FILE-SERVER-01"
| Hop 3: Domain Admins membership change
index=wineventlog EventCode=4728
Group_Name="Domain Admins"
Remediations
| Hop | Fix |
|---|---|
| 1 | Remove help-desk from local admins on FILE-SERVER-01; enforce tiering model |
| 2 | Deploy Credential Guard; convert SVC-BACKUP to gMSA (no extractable password) |
| 3 | Remove GenericAll ACE from SVC-BACKUP on Domain Admins; apply least privilege |
2. Identity Defenses¶
2.1 Privileged Access Management (PAM)¶
Core Principle
No standing privileges. All privileged access is just-in-time (JIT), just-enough-administration (JEA), and fully audited.
PAM Controls Matrix
| Control | Description | Implementation | Audit Frequency |
|---|---|---|---|
| Just-in-Time Access | Privileges granted only when needed, auto-expire after window | Azure PIM, CyberArk, time-boxed group memberships | Real-time alerting |
| Privileged Access Workstations | Hardened endpoints exclusively for admin tasks | Dedicated PAWs with no internet, app allowlisting, device compliance | Monthly attestation |
| Credential Vaulting | Privileged passwords stored in vault, rotated automatically | Secrets manager, check-out/check-in workflow, session recording | After each use |
| Session Recording | All privileged sessions recorded for forensic review | PSM proxies, SSH session logging, RDP gateway recording | Quarterly review |
| Break-Glass Accounts | Emergency access with enhanced auditing | Sealed credentials, dual-custody, immediate alert on use | Every use triggers incident |
2.2 Administrative Tiering Model¶
Microsoft ESAE / Tiered Administration
The tiering model prevents credential exposure across security boundaries. A Tier 0 admin never logs into a Tier 1 or Tier 2 device, and vice versa.
| Tier | Assets | Admin Scope | Credential Exposure Risk | Logon Restriction |
|---|---|---|---|---|
| Tier 0 | Domain Controllers, AD FS, PKI, Azure AD Connect, PAM | Forest/domain identity | Compromise = full domain | Only log on to Tier 0 PAWs and DCs |
| Tier 1 | Member servers, applications, databases, hypervisors | Server workloads | Compromise = server estate | Only log on to Tier 1 servers and PAWs |
| Tier 2 | Workstations, laptops, printers, user devices | End-user support | Compromise = user endpoints | Only log on to Tier 2 devices and PAWs |
Admin Forest Isolation
| Component | Production Forest | Admin Forest |
|---|---|---|
| Purpose | Business applications, user accounts | Privileged accounts, PAM |
| Trust Direction | One-way outgoing trust to Admin Forest | One-way incoming trust from Production |
| Credential Exposure | No admin credentials stored here | All Tier 0 credentials isolated here |
| Internet Access | Yes (user workstations) | No — fully air-gapped management |
| Authentication | Standard Kerberos | Selective authentication, short-lived tickets |
2.3 Zero Trust IAM¶
Never Trust, Always Verify
Every access request is evaluated based on identity, device health, location, resource sensitivity, and real-time risk — regardless of network position.
Zero Trust IAM Components
| Pillar | Control | Implementation |
|---|---|---|
| Identity Verification | MFA everywhere, passwordless preferred | FIDO2 keys, Windows Hello for Business, certificate-based auth |
| Device Trust | Only compliant devices access resources | MDM enrollment, health attestation, TPM-bound certificates |
| Risk-Based Auth | Dynamic step-up authentication | User risk score, sign-in risk score, impossible travel detection |
| Micro-Segmentation | Granular network/application access | Per-app VPN, application proxies, identity-aware proxies |
| Continuous Evaluation | Re-evaluate during session, not just at login | Continuous Access Evaluation (CAE), token revocation in near-real-time |
| Least Privilege | Minimize standing permissions | PIM/PAM, access reviews, entitlement management |
2.4 Service Account Hygiene¶
Service accounts are the #1 target for Kerberoasting and lateral movement
| Account Type | Credential Management | Rotation | Kerberoast Risk | Recommendation |
|---|---|---|---|---|
| Standalone Service Account | Manual password, often shared | Rarely (sometimes never) | HIGH — SPN + weak password | Migrate to gMSA |
| Group Managed Service Account (gMSA) | AD auto-generates 120-char password | Auto — every 30 days | LOW — password is uncrackable | Use for all compatible services |
| Managed Service Account (sMSA) | AD-managed, single-server | Auto — every 30 days | LOW | Use where gMSA not supported |
| LAPS-Managed Local Admin | Random password stored in AD, per-computer | Configurable (30-90 days) | N/A — local account | Deploy Windows LAPS on all endpoints |
Rotation Schedule
| Account Class | Rotation Interval | Verification |
|---|---|---|
| krbtgt | Every 180 days (reset twice) | Confirm replication completes between resets |
| Tier 0 service accounts | Every 60 days | Automated rotation via secrets vault |
| Tier 1 service accounts | Every 90 days | Automated rotation, alert on failure |
| LAPS local admin | Every 30 days | Verify via Get-LapsADPassword |
| Break-glass accounts | After every use | Dual-custody reseal |
2.5 Conditional Access Policy Matrix¶
Conditional Access — Azure Entra ID / Microsoft Entra
Define who can access what, from where, and under which conditions.
| Scenario | Users | Application | Condition | Grant Control |
|---|---|---|---|---|
| All cloud apps — baseline | All users | All cloud apps | Any platform, any location | Require MFA |
| Privileged admin access | Global Admin, Privileged Role Admin | Azure portal, Graph API | Any | Require MFA + compliant device + Privileged Access Workstation |
| Legacy authentication block | All users | All cloud apps | Client apps: Exchange ActiveSync, other clients | Block access |
| High-risk sign-in | All users | All cloud apps | Sign-in risk: High | Require password change + MFA |
| Guest access | Guest users | All cloud apps | Any | Require MFA + ToU acceptance |
| Device compliance | All users | Office 365 | Any platform | Require compliant or Hybrid Azure AD joined device |
| Location-based | All users | All cloud apps | Outside named locations (trusted IPs) | Require MFA |
| Session control | All users | Sensitive apps | Unmanaged device | App-enforced restrictions (no download) |
3. Cloud IAM Security¶
3.1 AWS IAM Best Practices¶
| Practice | Implementation | Risk Mitigated |
|---|---|---|
| Least Privilege | Use IAM Access Analyzer to identify unused permissions; scope policies to specific resources | Over-provisioned identities |
| Service Control Policies (SCPs) | Attach SCPs to OUs to set permission guardrails; deny sts:AssumeRole to external accounts | Cross-account escalation |
| Permission Boundaries | Set max permissions for IAM entities; developers can self-service within boundary | Privilege creep |
| No Long-Lived Access Keys | Use IAM roles + STS temporary credentials; rotate any remaining keys every 90 days | Credential theft |
| MFA on Root | Hardware MFA on root account; store in physical safe; alert on any root API call | Root account compromise |
| CloudTrail + GuardDuty | Enable CloudTrail in all regions; enable GuardDuty for anomaly detection | Unmonitored activity |
| IAM Conditions | Use aws:SourceIp, aws:PrincipalOrgID, aws:RequestedRegion conditions | Lateral movement, exfil to rogue region |
// Example: SCP denying access outside approved regions
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyUnapprovedRegions",
"Effect": "Deny",
"Action": "*",
"Resource": "*",
"Condition": {
"StringNotEquals": {
"aws:RequestedRegion": [
"us-east-1",
"us-west-2",
"eu-west-1"
]
}
}
}
]
}
3.2 Azure Entra ID (Azure AD) Security¶
| Control | Description | Configuration |
|---|---|---|
| Privileged Identity Management (PIM) | JIT elevation for Azure AD and Azure roles | Max 8-hour activation, require justification + MFA, approval for Global Admin |
| Conditional Access | Risk-based, device-based, location-based access policies | See Conditional Access matrix in Section 2.5 |
| Access Reviews | Periodic recertification of group memberships and app assignments | Monthly for privileged roles, quarterly for app access |
| Continuous Access Evaluation | Near-real-time token revocation on critical events | Enable for Exchange Online, SharePoint, Teams |
| Authentication Methods | Passwordless: FIDO2, Windows Hello, Microsoft Authenticator | Disable SMS/voice for admins; require phishing-resistant MFA |
| Cross-Tenant Access Settings | Control collaboration with external tenants | Default deny inbound, allow specific partner tenants |
| Identity Protection | Automated risk detection and remediation | Block high-risk users, require password change for medium risk |
3.3 GCP IAM Security¶
| Control | Description | Implementation |
|---|---|---|
| Organization Policies | Centralized guardrails across projects | constraints/iam.allowedPolicyMemberDomains — restrict to corporate domain |
| Workload Identity Federation | Eliminate service account keys for external workloads | OIDC/SAML federation from CI/CD, AWS, Azure |
| VPC Service Controls | Data exfiltration prevention via service perimeters | Create perimeters around BigQuery, GCS, Pub/Sub |
| IAM Recommender | ML-driven right-sizing of permissions | Review and apply recommendations monthly |
| Domain-Restricted Sharing | Prevent sharing resources outside organization | Org policy: iam.allowedPolicyMemberDomains |
| Service Account Controls | Disable key creation, enforce short-lived tokens | Org policy: iam.disableServiceAccountKeyCreation |
| Audit Logging | Admin Activity (always on), Data Access (must enable) | Enable Data Access logs for IAM, GCS, BigQuery |
4. Quick Reference Tables¶
4.1 Windows Security Event IDs for IAM¶
| Event ID | Description | Category | Detection Use Case |
|---|---|---|---|
| 4624 | Successful logon | Logon/Logoff | Lateral movement (Type 3), RDP (Type 10), service logon (Type 5) |
| 4625 | Failed logon | Logon/Logoff | Brute force, password spraying, account lockout source |
| 4627 | Group membership at logon | Logon/Logoff | Track privileged group exposure during logon |
| 4634 | Logoff | Logon/Logoff | Session duration analysis, correlate with 4624 |
| 4648 | Logon with explicit credentials | Logon/Logoff | RunAs, net use, credential reuse, PtH indicator |
| 4662 | Object access (DS Access) | Directory Service | DCSync detection (replication GUID access) |
| 4672 | Special privileges assigned | Logon/Logoff | Admin logon, SeDebugPrivilege, SeTcbPrivilege |
| 4720 | User account created | Account Mgmt | Persistence via new account creation |
| 4722 | User account enabled | Account Mgmt | Re-enabled dormant accounts |
| 4724 | Password reset attempt | Account Mgmt | ForceChangePassword abuse |
| 4728 | Member added to global security group | Account Mgmt | Privilege escalation (added to Domain Admins) |
| 4732 | Member added to local security group | Account Mgmt | Local admin escalation |
| 4756 | Member added to universal security group | Account Mgmt | Enterprise Admins / Schema Admins modification |
| 4768 | Kerberos TGT requested (AS-REQ) | Kerberos | AS-REP Roasting (PreAuth type 0), auth anomalies |
| 4769 | Kerberos service ticket requested (TGS-REQ) | Kerberos | Kerberoasting (RC4/0x17), Golden Ticket anomalies |
| 4771 | Kerberos pre-authentication failed | Kerberos | Password spraying against Kerberos, account lockout |
| 4776 | NTLM credential validation | Credential Validation | PtH, NTLM relay, NTLM auth from unexpected sources |
| 5136 | Directory object modified | Directory Service | ACL attacks, GPO modification, schema changes |
| 5145 | Network share access check | Object Access | Lateral movement via SMB (ADMIN$, C$, IPC$) |
4.2 LDAP Filter Cheat Sheet for AD Enumeration Detection¶
Monitor for these LDAP queries
Attackers and tools like BloodHound, SharpHound, and ADFind use characteristic LDAP filters during reconnaissance. Detecting these at the directory level provides early warning.
| LDAP Filter | Purpose | Threat |
|---|---|---|
(servicePrincipalName=*) | Enumerate all SPNs | Kerberoasting target list |
(userAccountControl:1.2.840.113556.1.4.803:=4194304) | Find accounts without preauth | AS-REP Roasting target list |
(adminCount=1) | Find privileged accounts | High-value target enumeration |
(msDS-AllowedToDelegateTo=*) | Find constrained delegation | Delegation abuse path discovery |
(userAccountControl:1.2.840.113556.1.4.803:=524288) | Find trusted-for-delegation accounts | Unconstrained delegation abuse |
(objectClass=computer)(operatingSystem=*server*) | Enumerate servers | Lateral movement target identification |
(objectCategory=groupPolicyContainer) | Enumerate GPOs | GPO abuse, persistence planning |
(objectClass=trusteddomain) | Enumerate domain trusts | Cross-domain/forest attack planning |
(&(objectCategory=person)(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2))) | All enabled users | User enumeration for spraying |
(msDS-GroupMSAMembership=*) | Enumerate gMSA principals | Service account attack planning |
LDAP Query Volume Detection
// High-volume LDAP queries from single source — SharpHound/ADFind indicator
SecurityEvent
| where EventID == 1644 // Requires LDAP Field Engineering diagnostics
| summarize QueryCount = count(),
DistinctFilters = dcount(SearchFilter)
by ClientIP = tostring(extract("Client IP: ([\\d.]+)", 1, EventData)),
bin(TimeGenerated, 5m)
| where QueryCount > 50 or DistinctFilters > 10
4.3 Kerberos Ticket Lifetimes — Defaults and Recommendations¶
| Parameter | Default Value | Recommended Value | Group Policy Path |
|---|---|---|---|
| Maximum lifetime for user ticket (TGT) | 10 hours | 4 hours | Computer Configuration → Policies → Windows Settings → Security Settings → Account Policies → Kerberos Policy |
| Maximum lifetime for service ticket (TGS) | 600 minutes | 600 minutes | Same as above |
| Maximum lifetime for user ticket renewal | 7 days | 7 days | Same as above |
| Maximum tolerance for clock synchronization | 5 minutes | 5 minutes | Same as above |
| Enforce user logon restrictions | Enabled | Enabled | Same as above |
Encryption Type Hierarchy
| Encryption Type | Code | Strength | Recommendation |
|---|---|---|---|
| DES-CBC-CRC | 0x01 | Broken | Disable everywhere |
| DES-CBC-MD5 | 0x03 | Broken | Disable everywhere |
| RC4-HMAC (ArcFour) | 0x17 | Weak | Disable if possible; detection trigger |
| AES128-CTS-HMAC-SHA1 | 0x11 | Good | Acceptable |
| AES256-CTS-HMAC-SHA1 | 0x12 | Strong | Preferred — set as default |
Enforcement
Set msDS-SupportedEncryptionTypes to 24 (0x18) on service accounts to enforce AES128+AES256 only. Use Group Policy Network security: Configure encryption types allowed for Kerberos to enforce domain-wide.
5. Response Playbook Quick Actions¶
If you suspect Active Directory compromise
- Isolate — Disconnect suspected compromised hosts from the network
- Preserve evidence — Memory dump of DCs and compromised endpoints before remediation
- Reset krbtgt — Reset the
krbtgtpassword twice (wait for replication between resets) - Revoke sessions — Invalidate all Kerberos tickets (requires krbtgt reset)
- Disable compromised accounts — Disable all accounts confirmed or suspected compromised
- Reset Tier 0 credentials — All Domain Admin, Enterprise Admin, and service account passwords
- Audit replication rights — Verify only DCs hold
Replicating Directory Changes All - Review ACLs — Check
AdminSDHolder, Domain Admins, Enterprise Admins for unauthorized ACEs - Scan for persistence — Check scheduled tasks, GPO modifications, DCShadow artifacts
- Enable enhanced logging — 4662, 5136, LDAP diagnostics (EID 1644) if not already enabled
- Implement tiering — Enforce Tier 0/1/2 logon restrictions via Authentication Policy Silos
- Deploy PAWs — Privileged Access Workstations for all Tier 0 administration
- Migrate to gMSAs — Replace all standalone service accounts with Group Managed Service Accounts
- Enable Credential Guard — UEFI-locked Credential Guard on all Tier 0 and Tier 1 systems
- Establish monitoring — Deploy detection queries from this cheat sheet into SIEM
6. Identity Threat Detection Rule Priority¶
Detection Engineering Priority Matrix
Prioritize detection rule deployment based on attack prevalence and impact.
| Priority | Attack | MITRE ID | Key Log Source | False Positive Risk |
|---|---|---|---|---|
| P1 | DCSync | T1003.006 | EventID 4662 | Low — non-DCs requesting replication is rare |
| P1 | Golden Ticket | T1558.001 | EventID 4769 | Low — TGT anomalies are distinctive |
| P1 | Domain Admin Group Change | T1098 | EventID 4728 | Low — should be extremely rare in production |
| P2 | Kerberoasting | T1558.003 | EventID 4769 | Medium — some monitoring tools request RC4 tickets |
| P2 | Pass-the-Hash | T1550.002 | EventID 4624 | Medium — NTLMv1 may exist in legacy environments |
| P2 | AS-REP Roasting | T1558.004 | EventID 4768 | Low — preauth-disabled accounts are uncommon |
| P3 | ACL Attacks | T1222.001 | EventID 5136 | Medium — legitimate AD delegation changes occur |
| P3 | LDAP Reconnaissance | T1018 | EventID 1644 | High — AD-integrated apps generate LDAP queries |