Once an attacker establishes a foothold in your Active Directory (AD) domain, they begin looking for ways to achieve their final objective, such as to sensitive data on file servers or in databases, spread ransomware or bring down your IT infrastructure. To do so, they must first gain additional access rights — ideally, membership in highly privileged groups like Domain Admins. BloodHound Active Directory helps them find paths to do just that.

With attackers constantly developing new tactics to compromise credentials and data, it is increasingly important to monitor critical systems such as Active Directory (AD) for signs of malicious activity. Many organizations turn to security information and event management (SIEM) products for help.

ManageEngine ADAudit Plus is a UBA-driven auditor that fortifies your Active Directory (AD) security infrastructure. With over 250 built-in reports, it provides you with granular insights into what’s happening within your AD, such as all changes made to objects and their attributes. This can include changes to users, computers, groups, network shares, and more.

The Privileged Attribute Certificate (PAC) is an extension to Kerberos service tickets that contains information about the authenticating user and their privileges. A domain controller adds the PAC information to Kerberos tickets when a user authenticates in an Active Directory (AD) domain. When Kerberos ticket services are used to authenticate to other systems, they can retrieve the PAC from a user’s ticket to determine their level of privileges without having to query the domain controller.

CrackMapExec is an open-source tool that leverages Mimikatz to enable adversaries to harvest credentials and move laterally through an Active Directory environment. This blog post details how this tool works and offers a solution for defending against it.

Eighty percent of modern attacks are identity-driven. Why would an attacker hack into a system when they can simply use stolen credentials to masquerade as an approved user and log in to the target organization? Once inside, attackers increasingly target Microsoft Active Directory because it holds the proverbial keys to the kingdom, providing broad access to the systems, applications, resources and data that adversaries exploit in their attacks.

LDAP Nom Nom is a recently discovered brute-force technique for enumerating valid usernames in Active Directory — anonymously and without leaving any log entries behind. It abuses LDAP Ping, a little-known mechanism in Active Directory normally used by computers to check whether a domain controller is alive. This blog post explains how LDAP Ping works and how adversaries can abuse it with LDAP Nom Nom.