{
	"id": "c9cf282b-8e30-4e17-932b-91a440e77267",
	"created_at": "2026-04-06T00:13:07.637228Z",
	"updated_at": "2026-04-10T03:20:19.914482Z",
	"deleted_at": null,
	"sha1_hash": "6faf6c87b4f9d06114cbd4e40e315dc23d9b6f74",
	"title": "Real-time detection scenarios in Active Directory environments",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 584794,
	"plain_text": "Real-time detection scenarios in Active Directory environments\r\nBy Scarred Monk\r\nPublished: 2022-05-06 · Archived: 2026-04-05 17:17:51 UTC\r\nIntroduction\r\nRecently, I joined the 2nd session of the course “3 Machine Labs” under the Auror Project, an initiative led by\r\nSudarshan Pisupati where we were doing deep-dive in Active Directory. I liked the concept that this course is\r\nfocussed on challenge-based learning - where each session is followed by a challenge which will ultimately help\r\nin understanding the core concepts for the members. And best thing is that, this project is open for anyone to join.\r\nInfact, it was started with a goal to drive meaningful infosec career outcomes for its members by creating\r\ncommunity-driven opportunities.\r\nIn the first session of “3 Machine Labs”, the challenge was to automate the 3 machine lab environment for testing\r\ndifferent scenarios. To achieve this, we can use Packer and Vagrant and there are other ways to automate the\r\nwhole process as well. Packer will help to create a golden image from a particular ISO file. Then, using the\r\nconfiguration scripts, we can use Vagrant to provision the virtual machine inside VirtualBox.\r\nPacker — https://www.packer.io/downloads\r\nVagrant — https://www.vagrantup.com/downloads\r\nVirtualbox — https://www.virtualbox.org/wiki/Downloads\r\nWe will need to configure the packer configuration files with the details to automate the process, like entering the\r\npath to the Windows-10/server-2019 ISO image file, sizing requirements and so on.\r\nhttps://rootdse.org/posts/monitoring-realtime-activedirectory-domain-scenarios\r\nPage 1 of 15\n\nOnce the configuration is done, we’ll run the packer to build the machines using below command by passing the\r\njson config for the machine.\r\npacker.exe build .\\your-server-2019-file.json\r\nFor more details on automation, there are great writeups by the fellow members of the Auror Project who have\r\nexplained different ways in their writeups as to how we can automate the whole process. Below are the references:\r\nhttps://sbasu7241.medium.com/auror-project-challenge-1-automated-active-directory-lab-deployment-53e323445f4d\r\nhttps://medium.com/@deepakkeshav98/3-machine-labs-1-automating-lab-a9870fc42c54\r\nhttps://www.passthehacks.com/post/the-auror-project\r\nhttps://pswalia2u.medium.com/automate-active-directory-installation-packer-provisioning-vagrant-e5b059d8fda\r\nReal-time detection scenarios ️\r\nIn the 2nd session, we discussed a lot of important concepts related to Active Directory Users and Security\r\nGroups. Based on that, we were asked to go through few challenges such as below by programming or through\r\nscripts or creating Analytics Dashboard:\r\nDetect when a computer account is added to any of the created domain security groups\r\nDetect an attempt to spray passwords using user attributes\r\nDetect a change to the domain admins group membership and notify this activity\r\nDetect when a helpdesk administrator is also a server administrator\r\nGather the count of administrators on the crown jewel machine and domain controller (including local\r\naccounts). Detect when this number changes\r\nhttps://rootdse.org/posts/monitoring-realtime-activedirectory-domain-scenarios\r\nPage 2 of 15\n\nIn this post, I will go through C# programs that I created to look for these near real-time detection scenarios of\r\nabove activities in an Active Directory domain environment.\r\nScenario 1 - Real-time detection when a computer account is added to any domain security\r\ngroups\r\nDetect Evil Machine 😈\r\nI came across this concept of what could happen when we add a domain machine into a privileged group.\r\nNormally we add the user accounts into security groups which allow them to perform different tasks based on the\r\npermissions of security groups. Usually the machine accounts are not added into the security groups.\r\nLet’s see what happens if we add a machine account into the security groups (for example- into Domain Admins)\r\nhttps://rootdse.org/posts/monitoring-realtime-activedirectory-domain-scenarios\r\nPage 3 of 15\n\nWhen I added a machine account into the security group (Domain Admins), the local system account (NT\r\nAUTHORITY\\SYSTEM) was able to access the domain resources. I’ll try to access system drive of the domain\r\ncontroller, can perform lateral movement as well using the same account. Quite interesting!\r\nhttps://rootdse.org/posts/monitoring-realtime-activedirectory-domain-scenarios\r\nPage 4 of 15\n\nNormally, a machine account is not added into domain admins or other domain security groups, so that’s why\r\nwhen we run as local system account (NT AUTHORITY\\SYSTEM) and we are not allowed to access the system\r\ndrive of the domain controller, which is quite normal.\r\nLocal system account (NT AUTHORITY\\SYSTEM) only has the highest privileges on the windows local\r\nmachine (for example- it has full control to all files on an NTFS volume). It is used by the operating system and\r\nby the services that run by Windows in the background for different tasks by logging in internally using this\r\naccount.\r\nhttps://rootdse.org/posts/monitoring-realtime-activedirectory-domain-scenarios\r\nPage 5 of 15\n\nIn normal scenarios, this account doesn’t even show up in Local Users and Groups Management console, and\r\ncannot be added to any groups from console. Sometimes, when we get a remote shell as NT\r\nAUTHORITY\\SYSTEM, we are able to perform a lot of activities on the local machine, but we cannot use that\r\naccount to move laterally.\r\nBut if the machine (that we got access to), is added into a security group, the machine account gets the\r\npermissions for the relevant critical server or resources based on that security group. Sometimes, system\r\nadministrators do this to run some domain level tool which is having permission issues or for troubleshooting such\r\nissues, and then forget to remove the machine accounts from the groups. While doing Red team engagements,\r\noffensive security team members can look for such machine accounts that have highest privileges. And the threat\r\ndetection teams can check for any machine accounts present in any of the security groups, as a part of the attack\r\nsurface management.\r\nThink of scenarios like where adversaries have such type of access to a machine, then the source user in the logs\r\nwould be the machine account ending with $ (such as ADSQL01$) instead of the user accounts. This can bypass\r\nmany threat detection SIEM conditions in which the machine accounts (ending with $) are filtered to reduce noise.\r\nI have created a POC tool in C#, which performs below functions:\r\n1. Displays already present machine accounts in any of the security groups in the Active Directory Domain\r\n2. Monitors for any new machine accounts being added into any of the security groups\r\n3. Notifies on the console about the new machine accounts being added into any of the security groups\r\nhttps://rootdse.org/posts/monitoring-realtime-activedirectory-domain-scenarios\r\nPage 6 of 15\n\nAs seen in the screenshot, the tool shows the machine accounts that are already added into the security groups.\r\nAnd it also looks for new additions in the real-time and notifies on the console.\r\nThreat detection teams can also create a detection logic to detect such activity by looking into Windows Event\r\nLogs with event ID 4728 and check if a computer account is added into a security group.\r\nhttps://rootdse.org/posts/monitoring-realtime-activedirectory-domain-scenarios\r\nPage 7 of 15\n\nTool Link - https://github.com/ScarredMonk/Detect-Evil-Machine\r\nScenario 2 - Real-time detection of attempts to spray passwords using user attributes\r\nDetect Password Spraying 🥷\r\nIn this scenario, I’ll perform a password spraying attack and try to detect it in real time. Password spraying attack\r\nis a type of brute force attack in which adversaries try to brute force logins based on a password ( for example -\r\n‘pass@123’), or a small list of commonly used passwords are attempted against different accounts on a network to\r\navoid account lockouts that would normally occur when brute forcing a single account with many passwords.\r\nFor this POC, I have written a tool, that check for multiple bad password attempts from the user attributes.\r\nFirst of all, I am fetching all the accounts using LDAP, that have value of badPwdCount \u003e 0.\r\n DirectoryEntry adObject = new DirectoryEntry();\r\n DirectorySearcher searcher = new DirectorySearcher(adObject)\r\nhttps://rootdse.org/posts/monitoring-realtime-activedirectory-domain-scenarios\r\nPage 8 of 15\n\n{\r\n SearchScope = SearchScope.Subtree,\r\n Filter = \"(\u0026(objectclass=user)(!(objectclass=computer))(!(badPwdCount=0)))\"\r\n };\r\n var queryattributes = searcher.FindAll();\r\n CheckPassSpray(true);\r\nThen, I’m leveraging the Active Directory user attributes badPasswordTime and badPwdCount . I checked for the\r\nbadPwdCount for multiple users and grouping them on basis of badPasswordTime attribute. When I’ll try\r\nhttps://rootdse.org/posts/monitoring-realtime-activedirectory-domain-scenarios\r\nPage 9 of 15\n\npassword spraying for multiple users, it will get detected by the tool Detect-spray as shown in the screenshot:\r\nTool Link - https://github.com/ScarredMonk/Detect-Spray\r\nScenario 3 - Real-time detection of change in Domain Admins group membership\r\nDetect Change in Domain Admins 👀\r\nThe attack surface is highly dependent on how many administrators are there in a particular domain. It should be\r\nlimited and contiously monitored for the same reason. In this scenario, I am looking for any change in the Domain\r\nAdmins group. This tool prints the existing members of domain administrators and notify on console if there is a\r\nnew member added to the group.\r\nhttps://rootdse.org/posts/monitoring-realtime-activedirectory-domain-scenarios\r\nPage 10 of 15\n\nThreat detection teams can also create a detection logic to detect such activity by looking into Windows Event\r\nLogs with event ID 4728 and check for any attempts of addding users into a privileged group.\r\nTool Link - https://github.com/ScarredMonk/Detect-DomainAdmin-Change\r\nScenario 4 - Check if a member of Group 1 is present in Group 2 in Active Directory Domain\r\nCheck member of one Group in other group 👥\r\nSometimes, it is possible that a low privilege user is a member of a high privileged group. In this challenge, I\r\ncompared the members of one group in other group to see if it is present in other high privilege group. For the\r\nchallenge, we had to check if any user of helpdesk admins is a part of Server Administrators group.\r\nhttps://rootdse.org/posts/monitoring-realtime-activedirectory-domain-scenarios\r\nPage 11 of 15\n\nTool Link - https://github.com/ScarredMonk/Compare-Group-Members\r\nScenario 5 - Gather the count of administrators on the crown jewel machine and domain\r\ncontroller (including local accounts). Detect when this number changes\r\nLocal admin attack surface managememt 🕸\r\nThis is done for attack surface management. It is very important to keep a close eye on Privileged Group\r\nMembership. In this challenge, I detected the change in local administrators group of domain controller and crown\r\njewel machine (critical machine). Below is a very good article by Microsoft on reducing the Active Directory\r\nAttack Surface:\r\nhttps://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/reducing-the-active-directory-attack-surface\r\nLocal administrators group of domain controller\r\nWhenever a new domain admin is added, it is notified on the console of this tool.\r\nhttps://rootdse.org/posts/monitoring-realtime-activedirectory-domain-scenarios\r\nPage 12 of 15\n\nThe same thing can be monitored from Windows Event Logs with event ID 4728 and check for any attempts of\r\naddding users into a Administrators groups of a domain controller.\r\nTool Link - https://github.com/ScarredMonk/ASM-NewDCAdmins\r\nLocal administrators group of Crown Jewel machine\r\nThe challenge required not to use domain admin / local admin privileges to retreive local admin group members\r\non a domain machine, but a tweak on other permissions. So I tried different permissions and ways to achieve this\r\nwithout becoming a domain administrator or a local administrator on the remote machine. Finally, I was able to\r\nfind a way to enumerate remotely after providing my scanning user permissions to enumerate through WMI on\r\nremote machine.\r\nOpen WMImgmt.msc\r\nGo to the Properties of WMI Control\r\nGo to the Security Tab\r\nSelect “Root” and open security\r\nSelect “Remote Enable” permission for my monitoring user account\r\nhttps://rootdse.org/posts/monitoring-realtime-activedirectory-domain-scenarios\r\nPage 13 of 15\n\nTool Link - https://github.com/ScarredMonk/ASM-NewRemoteAdmins\r\nThe same thing can be monitored from Windows Event Logs with event ID 4728 and check for any attempts of\r\naddding users into a Administrators groups of a local machines.\r\nIt is very important to monitor other privileged groups as well, apart from Domain Admins such as :\r\nAdministrators, Print Operators, DHCP Admins, Backup Operators, Account Operators, Cert Publishers, Network\r\nConfiguration Operators, Group Policy Creator Owners, Domain Controllers, Enterprise Admins, Server\r\nOperators, RAS and IAS Servers, Schema Admins etc.\r\nSummary 📓\r\nTo quickly recap, let’s summarize the above scenarios and monitoring recommendations for the Active Directory\r\nenvironments.\r\nMonitor any changes to privileged groups in the whole environment in order to reduce the attack surface.\r\nDetect when computer account is added to any of the created domain security groups because of its\r\nconsequences.\r\nQuickly detect an attempt to spray passwords by leveraging the user attributes, even when the attack\r\nbypasses the event logs.\r\nGet notified of the activities when domain admins group membership is modified.\r\nhttps://rootdse.org/posts/monitoring-realtime-activedirectory-domain-scenarios\r\nPage 14 of 15\n\nCheck why a member of low privileged group suddenly became member of a high privileged group.\r\nHave handly dashboards showing changes in the count of administrators on the crown jewel\r\nmachines/domain controllers (including local accounts).\r\nFor most of the organisations, the Active Directory environments are created initially and since then, there are lot\r\nof group additions and changes happened over a period of time. So there are many possibilities that administrators\r\nmight have lost track of many of the security groups in the domain as to why are those groups there if they are not\r\nin use anymore. So this is very important that organisations do attack surface management from time to time. We\r\ncannot block these activities in the environments such as Active Directory enumeration, because it is continously\r\nhappening for legitimate purposes by business tools and even by Windows applications. But what we can do is to\r\nmonitor these areas in real-time and work on managing and reducing the attack surface in Active Directory.\r\nThis was just for one session that was related to users and groups. There are many interesting things in the Auror\r\nProject which not only just involves coding but also analytical thinking and will help in building problem solving\r\nmindset, so I would recommend the readers to join the project for something new.\r\nSource: https://rootdse.org/posts/monitoring-realtime-activedirectory-domain-scenarios\r\nhttps://rootdse.org/posts/monitoring-realtime-activedirectory-domain-scenarios\r\nPage 15 of 15",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://rootdse.org/posts/monitoring-realtime-activedirectory-domain-scenarios"
	],
	"report_names": [
		"monitoring-realtime-activedirectory-domain-scenarios"
	],
	"threat_actors": [],
	"ts_created_at": 1775434387,
	"ts_updated_at": 1775791219,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6faf6c87b4f9d06114cbd4e40e315dc23d9b6f74.pdf",
		"text": "https://archive.orkl.eu/6faf6c87b4f9d06114cbd4e40e315dc23d9b6f74.txt",
		"img": "https://archive.orkl.eu/6faf6c87b4f9d06114cbd4e40e315dc23d9b6f74.jpg"
	}
}