You can configure domain controllers to log every authentication attempt involving an Active Directory user account to the Windows Security Log. It’s a lot of data to process but there are valuable insights to be gleaned that can be critical to detecting:
- stolen credentials
- compromised endpoints
- lateral movement
In addition to the sheer amount of data though, is the issue of how cryptic AD authentication events are. These events in the Account Logon category of the security log are tightly coupled to the 2 main authentication protocols used by Windows: NTLM and Kerberos. To understand Account Logon events, you have to understand Kerberos and to a lesser degree NTLM. And how Windows, specifically, uses Kerberos to provide SSO between workstations, servers, and applications in a typical corporate network.
In this real training for free event, I will briefly review how these protocols work and how Windows and AD use them. Then I will zero in on what you can know from these events – and what you can’t know. That’s an important distinction because domain controllers are not omniscient about what’s happening in the domain. After authenticating a user to a workstation or server, DCs are out of the picture. They don’t know how long the user remains logged on or what they do during that logon session. In fact, the whole concept of the logon session is really disappearing.
So, comprehending the value but also the limitations of AD authentication events is important. Crucial to that is understanding the difference between the Account Logon and the Logon/Logoff categories in the Security Log. The names Microsoft chose long ago for these 2 categories really muddy the water and create confusion, and that is something we’ll provide clarity on in this session.
Understanding these AD events and putting them to work in your threat hunting and detection efforts is well worth the effort, but it’s also just the beginning, because in today’s hybrid cloud environment, authentication activity extends far beyond on-prem workstations and servers. So, we will finish up this event with looking beyond core AD authentication activity and discuss the many other areas of authentication activity such as in ADFS, cloud-based IAM, strong authentication technologies and the various applications users access in the cloud. Our sponsor, Rapid7, will lead that part of the discussion and briefly show how their cloud SIEM, InsightIDR, brings together not just on-premise AD security events but ties together authentication activity across your modern, evolving environment.
Please join us for this real training for free event.