Detection of Current Attacks in Active Directory Environment with Log Correlation Methods

Aktif Dizin Ortamındaki Güncel Saldırıların Log Korelasyon Yöntemleri ile Tespiti

Authors

  • Mehmet Sabri Elmastaş National Defence University, Atatürk Strategic Studies and Graduate Institute, Department of Computer Engineering
  • Can Eyüpoğlu National Defence University, Turkish Air Force Academy, Department of Computer Engineering

Keywords:

Security Monitoring, Active Directory, Log Correlation, SIEM, Detection Rules, Splunk

Abstract

Active Directory is a directory service that provides control and integrity with a centralized management and identity management to cyber structures that expand over time and increase the number of devices. Protecting user credentials, corporate systems and sensitive data from unauthorized access is one of the basic principles of information security. Security monitoring of active directory environments is usually performed using signature-based detection rules. However, these rules are not always effective and sufficient, especially for attacks that resemble legitimate activities in terms of control. In this study, log correlation techniques are applied to detect lateral movement and kerberoasting attacks. Based on features from the Windows Event Log, various machine learning algorithms were used and evaluated on data from a real active directory environment. It has been implemented as detection rules for practical use on the Splunk platform, which is a Security Information and Event Management (SIEM) software. In the experimental comparison with signature-based approaches, it is observed that the proposed solution improves the detection capabilities and also reduces the number of false alarms for both attack techniques considered.

Downloads

Download data is not yet available.

References

B. Desmond, J. Richards, R. Allen, and A. G. Lowe-Norris, Active Directory. O’Reilly Media, 2013.

Microsoft, “Active Directory Security Groups,” microsoft.com. [Online]. Available: https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/ understand-security-groups. [Accessed: Jan. 15, 2023].

Microsoft, “Active Directory Domain Services Overview,” microsoft.com. [Online]. Available: https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/get-started/virtual-dc/active-directory-domain-services-overview [Accessed: Jan. 15, 2023].

Microsoft, “Securing Domain Controllers Against Attack,” microsoft.com. [Online]. Available: https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/ plan/security-best-practices/securing-domain-controllers-against-attack. [Accessed: Jan. 15, 2023].

Splunk, “What Is Data Structure?,” splunk.com. [Online]. Available: https://www.splunk.com/en_us/data-insider/data-structure.html. [Accessed: Jan. 20, 2023].

Splunk, “About Splunk Enterprise,” splunk.com. [Online]. Available: https://docs.splunk.com/Documentation/Splunk/9.0.3/Overview/AboutSplunkEnterprise. [Accessed: Jan. 20, 2023].

Logsign, “What is Log Correlation?,” logsign.com. [Online]. Available: https://www.logsign.com/blog/what-is-log-correlation/. [Accessed: Jan. 20, 2023].

A. S. Gillis, “Security Information and Event Management (SIEM),” techtarget.com. [Online]. Available: https://www.techtarget.com/searchsecurity/definition/ security-information-and-event-management-SIEM. [Accessed: Jan. 20, 2023].

S. Watts, “Log Management: A Useful Introduction,” splunk.com. [Online]. Available: https://www.splunk.com/en_us/blog/learn/log-management.html. [Accessed: Jan. 20, 2023].

Splunk, “Monitor Windows event log data with Splunk Enterprise,” splunk.com. [Online]. Available: https://docs.splunk.com/Documentation/Splunk/9.0.3/Data/ MonitorWindowseventlogdata. [Accessed: Jan. 20, 2023].

CrowdStrike, “Lateral Movement,” crowdstrike.com. [Online]. Available: https://www.crowdstrike.com/cybersecurity-101/lateral-movement/. [Accessed: Jan. 20, 2023].

Splunk, “Active Directory Lateral Movement,” splunk.com. [Online]. Available: https://research.splunk.com/stories/active_directory_lateral_movement/. [Accessed: Jan. 20, 2023].

J. Warren, “How to Detect Pass-the-Hash Attacks,” netwrix.com. [Online]. Available: https://blog.netwrix.com/2021/11/30/how-to-detect-pass-the-hash-attacks/. [Accessed: Jan. 22, 2023].

OffSec, “Psexec Pass The Hash,” offensive-security.com. [Online]. Available: https://www.offensive-security.com/metasploit-unleashed/psexec-pass-hash/. [Accessed: Jan. 22, 2023].

Splunk, “Active Directory Lateral Movement Detection: Threat Research Release, November 2021,” splunk.com. [Online]. Available: https://www.splunk.com/ en_us/blog/security/active-directory-lateral-movement-detection-threat-research -release-november-2021.html. [Accessed: Jan. 22, 2023].

Downloads

Published

28-07-2023

How to Cite

[1]
M. S. Elmastaş and C. Eyüpoğlu, “Detection of Current Attacks in Active Directory Environment with Log Correlation Methods: Aktif Dizin Ortamındaki Güncel Saldırıların Log Korelasyon Yöntemleri ile Tespiti”, JAST, vol. 16, no. 2, pp. 36–55, Jul. 2023.

Issue

Section

Articles