Authentication Against a New Domain Controller
Authentication Against a New Domain Controller
Description
A common indicator for lateral movement is when a user starts logging into new domain controllers.
Content Mapping
This content is not mapped to any local saved search. Add mapping
How to Implement |
|---|
Implementation of this example (or any of the First Time Seen examples) is generally very simple.
For most environments, these searches can be run once a day, often overnight, without worrying too much about a slow search. If you wish to run this search more frequently, or if this search is too slow for your environment, we recommend leveraging a lookup cache. For more on this, see the lookup cache dropdown below and select the sample item. A window will pop up telling you more about this feature. |
Known False Positives |
|---|
This is a strictly behavioral search, so we define "false positive" slightly differently. Every time this fires, it will accurately reflect the first occurrence in the time period you're searching over (or for the lookup cache feature, the first occurrence over whatever time period you built the lookup). But while there are really no "false positives" in a traditional sense, there is definitely lots of noise. You should not review these alerts directly (except for high sensitivity accounts), but instead use them for context, or to aggregate risk (as mentioned under How To Respond). |
How To Respond |
|---|
When this search returns values, initiate your incident response process and identify the user account accessing the specific domain controller. Contact the user and system owner about this action. If it is authorized, document that this is authorized and by whom. If not, the user credentials may have been used by another party and additional investigation is warranted to determine that lateral movement is not occurring. |
Help |
|---|
Authentication Against a New Domain Controller HelpThis example leverages the Detect New Values search assistant. Our dataset is a anonymized collection of Windows domain controller logon events (Event ID 4776). For this analysis, we are effectively grouping by username and domain controller name, which will give us a row for each username+domaincontrollername combination. We check if the first time that has occurred was in the last day. |
SPL for Authentication Against a New Domain Controller
Demo Data
| First we pull in our demo dataset. |
| Here we use the stats command to calculate what the earliest and the latest time is that we have seen this combination of fields. |
| Next we calculate the most recent value in our demo dataset |
| We end by seeing if the earliest time we've seen this value is within the last day of the end of our demo dataset. |
Live Data
| First we start with our basic dataset of WinSecurity logs with EventCode 4776, which will only originate from a domain controller. |
| We then rename the ComputerName to DomainController name for clarity |
| Then we use table to include just the fields we're apt to care about. (Technically we need to use | table for this app because we show you the intermediate results, but in production you should drop this line because it will reduce search performance.) |
| Here we use the stats command to calculate what the earliest and the latest time is that we have seen this combination of fields. |
| We end by seeing if the earliest time we've seen this value is within the last day. |