Enumeration of Local Administrators

This Indicator of Attack (IoA) detects reconnaissance attacks that enumerate the members of the Local Administrator group on domain controllers. A common attack tool that attackers use is BloodHound, which this IoA can detect in BloodHound's default configuration.

Tenable.ad supports two methods in this IoA:

  • Targeted systems for Windows versions 2016 or later.

  • Targeted systems for Windows versions 2012 R2 or earlier.

Detection Type Related to a Common Vulnerabilities and Exposures (CVE) Available from Tenable.ad version
Generic IOC No 3.14

How the attack works

The attacker uses the SAMR RPC (Remote Procedure Call) interface to list the members of the local Administrators group (not a domain group) of some domain controllers.

How the IoA works

This IoA can detect this technique, which SharpHound3 (the crawler part of the BloodHound tool) uses when it is launched through the following configurations:

  • Using the default configuration.

  • Enabling all collection methods.

  • Enabling only the LocalAdmin collection method.

In addition to BloodHound, this IoA can detect other attack tools that use the same technique.

You should not have false positives (especially for Windows versions 2016+) because the IoA detection relies on the Sharphound implementation, which differs from the Microsoft library. For this reason, the IoA does not consider as an attack such normal behaviors as the Microsoft Management Console (MMC) and command line tools that remotely list the members of the local Administrators group.

The IoA's detection technique is different for systems running Windows versions earlier than 2012 R2, because Microsoft does not provide the required event for older systems. Tenable.ad provides another less robust algorithm and enables it by default for older systems. If required, you can disable this option in Tenable.ad.

Note: In most situations, this IoA triggers at the same time as the Massive Computers Reconnaissance IoA. This is expected because they do not cover exactly the same cases.

Specific modifications to the environment

None. Tenable.ad adapts the audit policy to meet the needs of the required Windows event logs.

Events auditing policy
Provider Name Channel Event IDs Audit Policies Value
Microsoft-Windows-Security-Auditing Security 4799

├ Category: Account Management

└─ Sub-category: Security Group Management

Success

Microsoft-Windows-Security-Auditing Security 5145

├ Category: Object Access

└─ Sub-category: Detailed File Share

Success
Microsoft-Windows-Security-Auditing Security 4661

├ Category: Object Access

└─ Sub-category: SAM

+

├ Category: Object Access

└─ Sub-category: Handle Manipulation

Success

Other requirements
Sysmon extension No
Honey Account No

See also