Skip to content

Stay in touch.

Get in touch to discover the latest threat intel, thought leadership, and solutions from the cybersecurity experts at Alsid.

Contact us

Alsid for AD Detect

The only solution that can detect sophisticated attacks against Active Directory without the need for any agent or privileges. The ability to detect attacks in real time gives the organization the ability to quickly stop an attack.

  • Uncover major attacks per domain in your AD
  • Visualize every threat from an accurate attack timeline
  • Consolidate attack distribution in a single view
  • Make the link between AD changes and malicious actions
  • Analyze in-depth details of an AD attack
  • Explore MITRE ATT&CK ® description directly from the incident

Detect AD attacks

Specific AD attacks detection

Detect specific Active Directory attacks like DCShadow, Brute Force, Password Spraying, DCSync, and more. Some AD attacks use a “no-log” method and run under the SIEM radar. Alsid catches these attacks and sends the relevant information to your SIEM/SOC.

Alert your SIEM/SOC in real time

Use our specific SIEM plug-in or our native SYSLOG integration. No need to create thousands of rules inside your SIEM and update it on a weekly basis. Simply activate our SIEM modules to avoid false positives and eliminate information tornadoes for your SOC.

Integrate with security standards

Alsid for AD maps to MITRE ATT&CK® tactics and techniques and provides an integrated view of the most advanced framework to define attack detection. Leverage Alsid for AD to enhance your Security Orchestrator capabilities. All SOAR-based solutions can be connected using our API, enabling you to run specific playbooks after AD attack detection.

4 Pillars of AD Security

Find and fix existing weaknesses

  • Monitors more than 45 Indicators of Exposure in real time
  • Rates for compliance to establish baseline for security progress
  • Leverages a Microsoft API to gather data from the AD replication stream
  • Provides complexity rating for each IoE to achieve quick wins

Uncover new attack pathways

  • Evaluates over 60 security triggers in real time
  • Spots dangerous ACEs for your AD objects in real time
  • Unveils vulnerability details and research links per IoE
  • Supports 500+ customization options per custom profile

Detect ongoing attacks in real time

  • Spots attacks across all domains and forests in real time
  • Observes details related to DCSync and DCShadow attacks constantly
  • Distinguishes in real time password-related attacks like Password Spray and Brute Force
  • Detects attacks and immediately provides recommended actions to stop the attack

Investigate incidents and hunt for threats

  • Develops searches with customized rules into the Trail Flow
  • Creates detailed searches using the Trail Flow Wizard
  • Forwards Trail Flow messages to a SIEM/SOAR for event correlation
  • Dissects AD and SYSLOG replication data for breach entry

Alsid Architecture

Alsid for AD provides the flexibility of two architectural designs. On-prem to keep your data on-site and under your control. SaaS, so you can leverage the cloud. No agents, no privileges. Just log in to your dedicated cloud platform, set up your VPN, and immediately start reducing your attack surface.

The Simplest Possible Architecture

  • No agents, no privileges
  • Manage several forests and domains from a single Alsid instance
  • Scalable architecture meets your future business needs
  • Built-in redundancies ensure continuity
  • Fully open and documented API enables automation and custom workflows
  • Full RBAC capabilities

Alsid for AD
On-Prem

  • Windows servers deployed on-prem
  • No agents required
  • Use standard Microsoft protocols
  • Micro-services architecture
  • Connect to your SIEM and SOAR

Alsid for AD
SaaS

  • No need for any servers on-prem
  • Dedicated cloud instance
  • Private cloud architecture
  • Choose VPN or TLS connection
  • Use our Azure infrastructure or use your own existing Azure, AWS, or Google instance

Alsid for AD
IN CUSTOMER CLOUD

  • Alsid is fully compatible with all AD managed services from the major cloud providers
  • Check the security of Azure Active Directory Domain Services, AWS Directory Service, or Google Managed Service for Active Directory in real time
  • Alsid is ready for cloud-native companies

Built on MITRE ATT&CK Framework

Industry trusted

MITRE ATT&CK® – “A globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community.

With the creation of ATT&CK, MITRE is fulfilling its mission to solve problems for a safer world — by bringing communities together to develop more effective cybersecurity. ATT&CK is open and available to any person or organization for use at no charge.”

  • Alsid for AD maps directly to MITRE ATT&CK Framework
  • MITRE continues to grow with SHIELD
  • Framework is updated to keep up with new attacks and profiles

Understanding Alsid’s IoE

Our Indicators of Exposure are constantly run against your AD’s hypergraph to uncover weaknesses and attacks.

Privilege attack vectors

These IoE ensure that monitored Active Directory infrastructures cannot be exploited by attackers to gain admin privileges.

Backdooring techniques

These IoE confirm there are no backdoors into your Active Directory environment and ensure the efficiency of deployed security strategies.

Dangerous security models

These IoE ensure that monitored Active Directory infrastructures are implementing recommended security strategies that reinforce information systems against cyberattacks.

(Class icon) name of IoE Explanation Known offensive tools MITRE ATT&CK Matrix™
(C) Privileged accounts running Kerberos services Highly privileged accounts using a brute-forceable Kerberos Service Principal Name Kerberom Privilege Escalation, Lateral movement, Persistence
(C) Dangerous Kerberos delegation Check that no dangerous delegation (unconstrained, protocol transition, etc.) is authorized Nishang Lateral movement,Persistence, Privilege escalation
(C) Use of weak cryptography algorithms into Active Directory PKI Root certificates deployed on internal Active Directory PKI must not use weak cryptographic algorithms ANSSI-ADCP Persistence, Privilege escalation, Lateral movement
(C) Dangerous access rights delegation on critical objects Some access rights allowing illegitimate users to control critical objects have been found BloodHood Exfiltration, Lateral movement, Command and control, Credential access, Privilege escalation
(U) (M) Multiple issues in the password policy On some specific accounts, the current password policies are insufficient to ensure robust credentials protection Patator Defense evasion, Lateral movement, Credential access, Privilege escalation
(C) Dangerous RODC management accounts The administrative groups in charge of Read-Only Domain Controllers contain abnormal accounts Impacket Credential access, Defense evasion, Privilege escalation
(C) Sensitive GPO linked to critical objects Some GPO managed by non-administrative accounts are linked to sensitive Active Directory objects (e.g. the KDC account, Domain Controllers, administrative groups, etc.) ANSSI-ADCP Command and control, Credential access, Persistence, Privilege escalation
(U) Administrative accounts allowed to connect to other systems than the Domain Controllers The security policies deployed on the monitored infrastructure does not prevent administrative accounts to connect to resources other than DC, leading to sensitive credentials exposure CrackMapExec Defense evasion, Credential access
(C) Dangerous trust relationship Misconfigured trust relationship attributes decrease the security of a directory infrastructure Kekeo Lateral movement, Credential access, Privilege escalation, Defense evasion
(C) Reversible passwords in GPO Verify that no GPO contain passwords stored in a reversible format SMB Password crawler Credential access, Privilege escalation
(M) Computers running an obsolete OS Obsolete systems are not supported by the editor anymore and greatly increase the infrastructure vulnerability Metasploit Lateral movement, Command and control
(U) (M) Accounts using a pre-Windows 2000 compatible access control Account member of the pre-Windows 2000 Compatible Access Group can bypass specific security measures Impacket Lateral movement, Defense evasion
(U) Local administrative account management Ensure local administrative accounts are managed centrally and securely using LAPS CrackMapExec Defense evasion, Credential access, Lateral movement
(U) Dangerous anonymous users configuration Anonymous access is activated on the monitored Active Directory infrastructure leading to sensitive information leak Impacket Exfiltration
(C) Abnormal RODC filtered attributes The filtering policies applied on some Read-Only Domain Controllers can lead to sensitive information caching, allowing privilege escalations Mimikatz (DCShadow) Privilege escalation, Defense evasion
(U) Lacking restriction on lateral movements attack scenario Lateral movement restriction has not been activated on the monitored Active Directory infrastructure, allowing attackers to bounce from machine to machine with the same level of privileges CrackMapExec Lateral movement
(M) Clear-text password stored in DC shares Some files on DC shares, accessible by any authenticated user, are likely to contain clear-text password, allowing privilege escalation SMBSpider Credential access, Privilege escalation, Persistence
(C) Dangerous access control rights on logon scripts Some scripts, run during a computer or a user logon, have dangerous access rights, leading to privilege escalation Metasploit Lateral movement, Privilege escalation, Persistence
(C) Dangerous parameters are used in GPO Some dangerous parameters (e.g. restricted groups, LM hash computation, NTLM authentication level, sensitive parameters, etc.) are set by GPO, creating security breaches Responder Discovery, Credential access, Execution, Persistence, Privilege escalation, Defense evasion
(U) Dangerous parameters defined in the User Account Control configuration The User Account Control attribute of some user accounts defines dangerous parameters (e.g. PASSWD_NOTREQD or PARTIAL_SECRETS_ACCOUNT), which endanger the security of said account Mimikatz (LSADump) Persistence, Privilege escalation, Defense evasion
(M) Lacking application of security patches Some server registered in Active Directory did not recently apply security updates Metasploit Command and control Privilege escalation, Defense evasion,
(U) Brute force attempt on user accounts Some user accounts have been targeted by a brute force attempt Patator Credential access
(U) Kerberos configuration on user account Some accounts are using weak Kerberos configuration Mimikatz (Silver Ticket) Credential access, Privilege escalation
(M) Abnormal share or file stored on the DC Some domain controllers are used to host non-necessary files or network shares SMBSpider Discovery, Exfiltration

Class icons:

User (U)

Machine (M)

Security Component (C)

(Class icon) name of IoE Explanation Known offensive tools MITRE ATT&CK Matrix™
(C) Ensure SDProp consistency Control that the adminSDHolder object is in a clean state Mimikatz (Golden Ticket) Privilege escalation, Persistence
(U) (M) User primary group ID Verify that users’ primary group has not been changed BloodHood Privilege escalation, Persistence
(C) Verify root domain object permissions Ensure the permissions set on the root domain object are sane BloodHood Privilege escalation, Persistence
(C) Verify sensitive GPO objects and files permissions Ensure that permissions set on the GPO objects and files linked to sensitive containers (like the Domain Controllers OU) are sane BloodHood Execution, Privilege escalation,

Persistence

(C) Dangerous access rights on RODC KDC account The KDC account used on some Read-Only Domain Controllers can be controlled by illegitimate user account, leading to credential leaks Mimikatz (DCSync) Privilege escalation, Persistence
(U) (M) Sensitive certificates mapped to user accounts Some X509 certificates are stored in the altSecurityIdentities user account attribute, allowing certificate’s private key owner to authenticate as this user Not implemented (yet) Command and control, Credential access, Privilege escalation, Persistence
(U) Rogue Krbtgt SPN set on regular account The Service Principal Name of the KDC is present on some regular user account, leading to Kerberos tickets forgery Mimikatz (Golden Ticket) Privilege escalation, Persistence
(C) KDC password last change KDC account password must be changed regularly Mimikatz (Golden Ticket) Credential access, Privilege escalation, Persistence
(U) (M) Accounts having a dangerous SID History attribute Check user or computer accounts using a privileged SID in SID history attribute DeathStar Privilege escalation, Persistence
(M) Rogue domain controllers Ensure only legitimate Domain controller servers are registered into Active Directory infrastructure Mimikatz (DCShadow) Execution, Defense evasion, Privilege escalation, Persistence
(C) Illegitimate Bitlocker key access control Some Bitlocker recovery keys stored in Active Directory can be accessed by other people than administrators and linked computers ANSSI-ADCP Credential access, Privilege escalation, Persistence
(C) Abnormal entries in the Schema security descriptor The Active Directory Schema has been modified leading to new standard access rights or objects that can endanger the monitored infrastructure BloodHood Privilege escalation, Persistence
(U) DSRM account activated The Active Directory recovery account has been activated, exposing it to credential theft Mimikatz (LSADump) Credential access, Execution, Defense evasion, Privilege escalation, Persistence
(C) Dangerous caching policy on RODC The caching policy configured on some Read-Only Domain Controllers allows global administrative accounts to have their credentials cached and retrieved by RODC management accounts Mimikatz (DCSync) Privilege escalation, Persistence
(C) Certificate deployed by GPO applied on DC Some GPOs are used to deploy certificates on Domain Controllers, allowing certificate’s private key owner to compromise these servers BloodHood Privilege escalation, Persistence
(U) Authentication hash not renewed when using smartcard Some user accounts using smartcard authentication do not renew their credentials hash frequently enough Mimikatz (LSADump) Persistence
(U) Reversible passwords for User accounts Verify no parameter make passwords stored in a reversible format Mimikatz (DC Sync) Credential access
(C) Use of explicit denied access on containers Some Active Directory containers or OUs define explicit denied access, leading to potential backdoor concealment BloodHood Defense evasion, Persistence

Class icons:

User (U)

Machine (M)

Security Component (C)

(Class icon) name of IoE Explanation Known offensive tools MITRE ATT&CK Matrix™
(U) (M) Native administrative group members Abnormal accounts in the native administrative groups of Active Directory Impacket Persistence, Execution, Privilege escalation, Defense evasion
(U) Accounts with never expiring passwords Accounts with the DONT_EXPIRE property are not affected by password renewal policy Impacket Persistence
(U) Recent use of the default administrator account Built-in administrator account has been used recently Mimikatz (Token Impersonate) Command and control
(C) Protected Users group not created or not used Verify the Protected Users group has been created on the Active Directory forest and is used Mimikatz (Silver Ticket) Credential access
(C) Presence of blocking OU Some organization units are blocking the application of security policies deployed by GPO Responder Persistence
(M) Inappropriate number of Domain Controllers Compared to the monitored Active Directory infrastructures, the number of Domain Controllers seems inappropriate Metasploit Discovery
(C) Unlinked, disabled or orphan GPO Having unlinked, disabled or orphan GPO can lead to administrative errors GPOInjection Defense evasion
(U) (M) Sleeping accounts Unused sleeping accounts are still activated Mimikatz (Token Impersonate) Persistence
(U) (M) AdminCount attribute set on standard users Some decommissioned administrative accounts are not globally manageable CrackMapExec Persistence, Privilege escalation
(U) (M) Disabled accounts in privileged groups Accounts that are not used anymore should not stay in privileged groups Mimikatz (Silver Ticket) Persistence
(C) Domains have an outdated functional level A low functional level prevents the use of advanced functionalities or improvements Patator Defense evasion
(C) Domain using a dangerous backward-compatibility configuration The dSHeuristics attribute can modify AD behavior and have security impacts Enum Credential access, Privilege escalation, Defense evasion
(U) Lacking the use of Managed Service Accounts Some compatible service accounts are not using the Active Directory Managed Service Accounts feature to automatically renew their password Patator Defense evasion
(C) Lacking the use of Advanced Audit Policy The modern Active Directory event logging feature is not used, leading to inappropriate security event monitoring Mimikatz (LSADump) Defense evasion
(C) Lack of Active Directory backups The monitored AD infrastructure does not seem to make regular backups Impacket Defense evasion
(U) (M) Regular users can add new computers into AD domain Regular users are allowed to add new computers in the monitored Active Directory domains without administrative teams approval Mimikatz (DCShadow) Persistence, Privilege escalation
(C) Active Directory event logs not centralized Active Directory event logs do not appear to be centralized and harvested to ensure efficient incident response Metasploit Defense evasion
(U) (M) Account naming convention not fully respected Some accounts do not follow the naming convention defined for the monitored infrastructure Responder Defense evasion
(C) Use of non-canonical ACE Some access control policies set on Active Directory object use non-canonical ACEs which could lead to misleading information Empire Persistence

Class icons:

User (U)

Machine (M)

Security Component (C)

What’s next?

Demo the solution or discover the latest threat intel, thought leadership, and solutions from the cybersecurity experts at Alsid.