New AD Domain Detected

Description

New AD domain names in your normal domain controller logs are a symptom of many Pass the Hash tools. While some of the latest don't produce these artifacts, this remains a very valuable detection mechanism.


Use Case

Advanced Threat Detection, Compliance

Category

Lateral Movement

Security Impact

In Windows logs, the domain name is often reported when it's not explicitly required for the authentication. Under normal operation, the domain name reported will be totally normal, but when someone is intentionally modifiying authentication (such as with Pass the Hash), you can see incorrect, or empty domains. Pass the Hash is used by attackers to move laterally within the organization, connecting to new servers. While not all Pass the Hash techniques will demonstrate this vulnerability, tracking new domains in your Windows logs is very valuable.

Alert Volume

Low (?)

SPL Difficulty

Medium

Journey

Stage 1

MITRE ATT&CK Tactics

Lateral Movement

MITRE ATT&CK Techniques

Pass the Hash

MITRE Threat Groups

APT1
APT28
APT32
Night Dragon
Soft Cell

Kill Chain Phases

Installation

Data Sources

Windows Security

   How to Implement

Implementation of this example (or any of the First Time Seen examples) is generally very simple.

  • Validate that you have the right data onboarded, and that the fields you want to monitor are properly extracted.
  • Save the search.

For most environments, these searches can be run once a day, often overnight, without worrying too much about a slow search. If you wish to run this search more frequently, or if this search is too slow for your environment, we recommend leveraging a lookup cache. For more on this, see the lookup cache dropdown below and select the sample item. A window will pop up telling you more about this feature.

   Known False Positives

This is a strictly behavioral search, so we define "false positive" slightly differently. Every time this fires, it will accurately reflect the first occurrence in the time period you're searching over (or for the lookup cache feature, the first occurrence over whatever time period you built the lookup). But while there are really no "false positives" in a traditional sense, there is definitely lots of noise.

This search is designed to find older versions of Mimikatz (or other tools with similar techniques), and is not known to have any other false positives.

   How To Respond

When this search returns values, initiate your incident response process and identify the account name associated with the new domain. Determine at what time the event occurred and from what system the login attempt occurred from. Contact the user and system owner(s) to determine if it is authorized, and document that this is authorized and by whom. If not, the user credentials may have been used by another party and additional investigation is warranted to determine is a pass the hash attack has been attempted and generated this new domain in the event log.

   Help

New AD Domain Detected Help

This example leverages the Detect New Values search assistant. Our dataset is a anonymized collection of Windows logon events from a domain controller. For this analysis, we are looking for the earliest time for a domain name. We check if the first time that domain was seen was in the last day.

SPL for New AD Domain Detected

Demo Data

First we pull in our demo dataset.
Here we use the stats command to calculate what the earliest and the latest time is that we have seen this combination of fields.
Next we calculate the most recent value in our demo dataset
We end by seeing if the earliest time we've seen this value is within the last day of the end of our demo dataset.

Live Data

This string will look in your Windows Security logs for the specific signature of Mimikatz (prior to 2017).
Here we use the stats command to calculate what the earliest and the latest time is that we have seen this combination of fields.
We end by seeing if the earliest time we've seen this value is within the last day.