ExtraHop Logo
Try ExtraHop
Menu iconX icon
  • Platformchevron right
  • Solutionschevron right
  • Modern NDRchevron right
  • Resourceschevron right
  • Companychevron right
User iconSign In
Contact Us

DETECTION OVERVIEW

PingCastle Scan

Risk Factors

PingCastle is one of many publicly available tools for scanning Active Directory networks. These types of scans typically do not negatively affect network performance, but attackers can leverage this information to find new targets in an attack campaign.

Kill Chain

Reconnaissance

Risk Score

33

Detection diagram
Next in Reconnaissance: RDP Session Enumeration Attempt

Attack Background

PingCastle is a tool for assessing the security posture of Active Directory (AD) environments. PingCastle is considered to be dual-use software, which is easy to acquire and can be leveraged for both legitimate and malicious activity. Attackers can run PingCastle to enumerate AD information, such as usernames, group policies, and more. For example, PingCastle enumerates group policy objects (GPOs) by sending an SMB request to a device.

Mitigation Options

Block executable files from running with Group Policy or AppLocker

Because securing AD environments can be difficult without compromising functionality, monitor and investigate unusual activity to minimize potential damage

MITRE ATT&CK ID

What else can RevealX do for you?

View our Periodic Table of use casesArrow pointing right