Detection of Current Attacks in Active Directory Environment with Log Correlation Methods
Aktif Dizin Ortamındaki Güncel Saldırıların Log Korelasyon Yöntemleri ile Tespiti
Keywords:
Security Monitoring, Active Directory, Log Correlation, SIEM, Detection Rules, SplunkAbstract
Active Directory is a directory service that provides control and integrity with a centralized management and identity management to cyber structures that expand over time and increase the number of devices. Protecting user credentials, corporate systems and sensitive data from unauthorized access is one of the basic principles of information security. Security monitoring of active directory environments is usually performed using signature-based detection rules. However, these rules are not always effective and sufficient, especially for attacks that resemble legitimate activities in terms of control. In this study, log correlation techniques are applied to detect lateral movement and kerberoasting attacks. Based on features from the Windows Event Log, various machine learning algorithms were used and evaluated on data from a real active directory environment. It has been implemented as detection rules for practical use on the Splunk platform, which is a Security Information and Event Management (SIEM) software. In the experimental comparison with signature-based approaches, it is observed that the proposed solution improves the detection capabilities and also reduces the number of false alarms for both attack techniques considered.
Downloads
References
B. Desmond, J. Richards, R. Allen, and A. G. Lowe-Norris, Active Directory. O’Reilly Media, 2013.
Microsoft, “Active Directory Security Groups,” microsoft.com. [Online]. Available: https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/ understand-security-groups. [Accessed: Jan. 15, 2023].
Microsoft, “Active Directory Domain Services Overview,” microsoft.com. [Online]. Available: https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/get-started/virtual-dc/active-directory-domain-services-overview [Accessed: Jan. 15, 2023].
Microsoft, “Securing Domain Controllers Against Attack,” microsoft.com. [Online]. Available: https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/ plan/security-best-practices/securing-domain-controllers-against-attack. [Accessed: Jan. 15, 2023].
Splunk, “What Is Data Structure?,” splunk.com. [Online]. Available: https://www.splunk.com/en_us/data-insider/data-structure.html. [Accessed: Jan. 20, 2023].
Splunk, “About Splunk Enterprise,” splunk.com. [Online]. Available: https://docs.splunk.com/Documentation/Splunk/9.0.3/Overview/AboutSplunkEnterprise. [Accessed: Jan. 20, 2023].
Logsign, “What is Log Correlation?,” logsign.com. [Online]. Available: https://www.logsign.com/blog/what-is-log-correlation/. [Accessed: Jan. 20, 2023].
A. S. Gillis, “Security Information and Event Management (SIEM),” techtarget.com. [Online]. Available: https://www.techtarget.com/searchsecurity/definition/ security-information-and-event-management-SIEM. [Accessed: Jan. 20, 2023].
S. Watts, “Log Management: A Useful Introduction,” splunk.com. [Online]. Available: https://www.splunk.com/en_us/blog/learn/log-management.html. [Accessed: Jan. 20, 2023].
Splunk, “Monitor Windows event log data with Splunk Enterprise,” splunk.com. [Online]. Available: https://docs.splunk.com/Documentation/Splunk/9.0.3/Data/ MonitorWindowseventlogdata. [Accessed: Jan. 20, 2023].
CrowdStrike, “Lateral Movement,” crowdstrike.com. [Online]. Available: https://www.crowdstrike.com/cybersecurity-101/lateral-movement/. [Accessed: Jan. 20, 2023].
Splunk, “Active Directory Lateral Movement,” splunk.com. [Online]. Available: https://research.splunk.com/stories/active_directory_lateral_movement/. [Accessed: Jan. 20, 2023].
J. Warren, “How to Detect Pass-the-Hash Attacks,” netwrix.com. [Online]. Available: https://blog.netwrix.com/2021/11/30/how-to-detect-pass-the-hash-attacks/. [Accessed: Jan. 22, 2023].
OffSec, “Psexec Pass The Hash,” offensive-security.com. [Online]. Available: https://www.offensive-security.com/metasploit-unleashed/psexec-pass-hash/. [Accessed: Jan. 22, 2023].
Splunk, “Active Directory Lateral Movement Detection: Threat Research Release, November 2021,” splunk.com. [Online]. Available: https://www.splunk.com/ en_us/blog/security/active-directory-lateral-movement-detection-threat-research -release-november-2021.html. [Accessed: Jan. 22, 2023].
Downloads
Published
How to Cite
Issue
Section
License
Copyright (c) 2023 Journal of Aeronautics and Space Technologies

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
The manuscript with title and authors is being submitted for publication in Journal of Aeronautics and Space Technologies. This article or a major portion of it was not published, not accepted and not submitted for publication elsewhere. If accepted for publication, I hereby grant the unlimited and all copyright privileges to Journal of Aeronautics and Space Technologies.
I declare that I am the responsible writer on behalf of all authors.