Sign In
- Platform
- Solutions
- Modern NDR
- Resources
- Company
Platform
Modern NDR
Resources
Platform
Modern NDR
Resources
DETECTION OVERVIEW
Risk Factors
Attack tools such as ADRecon make Active Directory reconnaissance relatively easy to perform. Attackers can leverage this information to find new targets in an attack campaign.
The system might change the risk score for this detection.
Kill Chain
Risk Score
60
%20Activity-LT.png&w=1080&q=75)
A domain administrator can manage Active Directory data by running commands with tools such as PowerShell, Active Directory Administrative Center, or custom web applications. These tools interact with ADWS, which is a Windows service that runs on a domain controller (DC). Attack tools, such as ADRecon, also interact with ADWS. After an attacker compromises a Windows device with network access to a DC, the attacker can run ADRecon to extract information and performance reconnaissance on network users and services.
Strictly manage the users and groups who have domain permissions that allow them to replicate information from a DC
Implement strict login controls on devices with highly privileged users to reduce the exposure of credentials stored in memory to attackers
Strengthen the security on Windows devices by enforcing strong authentication policies and creating a list of approved applications
Collect information about DC changes with Windows event forwarding and remote aggregation of host-based logs
