Synopsis
Activation Period |
14 Days |
Training Period |
30 Days |
Test Period |
N/A (single event) |
Deduplication Period |
1 Day |
Required Data |
|
Detection Modules |
Identity Analytics |
Detector Tags |
|
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
Informational |
Description
A user account has successfully logged on to a Domain Controller (DC), generating a Windows Event Log. This may be a sign of DC and Active Directory (AD) compromise.
Attacker's Goals
A malicious user may attempt to access a domain controller to access and control Active Directory.
Investigative actions
- Ensure that the user is not a Domain Admin account. By default, Administrator groups have permission to access the domain controller.
- Check if the user is a service account that accesses a domain controller as part of its normal behavior.
- Verify that the user is not authenticating to group policy.
Variations
Rare RDP User Login to Domain Controller by an Abnormal Department
Synopsis
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
Medium |
Description
A user account has successfully interactively logged on to a Domain Controller (DC), generating a Windows Event Log. This may be a sign of DC and Active Directory (AD) compromise.
Attacker's Goals
A malicious user may attempt to access a domain controller to access and control Active Directory.
Investigative actions
- Ensure that the user is not a Domain Admin account. By default, Administrator groups have permission to access the domain controller.
- Check if the user is a service account that accesses a domain controller as part of its normal behavior.
- Verify that the user is not authenticating to group policy.
Abnormal RDP User Login to Domain Controller
Synopsis
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
Low |
Description
A user account has successfully interactively logged on to a Domain Controller (DC), generating a Windows Event Log. This may be a sign of DC and Active Directory (AD) compromise.
Attacker's Goals
A malicious user may attempt to access a domain controller to access and control Active Directory.
Investigative actions
- Ensure that the user is not a Domain Admin account. By default, Administrator groups have permission to access the domain controller.
- Check if the user is a service account that accesses a domain controller as part of its normal behavior.
- Verify that the user is not authenticating to group policy.
RDP User Login to Domain Controller
Synopsis
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
Informational |
Description
A user account has successfully logged on to a Domain Controller (DC), generating a Windows Event Log. This may be a sign of DC and Active Directory (AD) compromise.
Attacker's Goals
A malicious user may attempt to access a domain controller to access and control Active Directory.
Investigative actions
- Ensure that the user is not a Domain Admin account. By default, Administrator groups have permission to access the domain controller.
- Check if the user is a service account that accesses a domain controller as part of its normal behavior.
- Verify that the user is not authenticating to group policy.
Abnormal User Login to Domain Controller by an Abnormal Department
Synopsis
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
Informational |
Description
A user account has successfully logged on to a Domain Controller (DC), generating a Windows Event Log. This may be a sign of DC and Active Directory (AD) compromise.
Attacker's Goals
A malicious user may attempt to access a domain controller to access and control Active Directory.
Investigative actions
- Ensure that the user is not a Domain Admin account. By default, Administrator groups have permission to access the domain controller.
- Check if the user is a service account that accesses a domain controller as part of its normal behavior.
- Verify that the user is not authenticating to group policy.