Enumeration of Local Administrators
This Indicator of Attack (IoA) detects reconnaissance attacks that enumerate the members of the Local Administrator group on domain controllers. A common attack tool that attackers use is BloodHound, which this IoA can detect in BloodHound's default configuration.
Tenable.ad supports two methods in this IoA:
-
Targeted systems for Windows versions 2016 or later.
-
Targeted systems for Windows versions 2012 R2 or earlier.
| Detection Type | Related to a Common Vulnerabilities and Exposures (CVE) | Available from Tenable.ad version |
|---|---|---|
| Generic IOC | No | 3.14 |
How the attack works
The attacker uses the SAMR RPC (Remote Procedure Call) interface to list the members of the local Administrators group (not a domain group) of some domain controllers.
How the IoA works
This IoA can detect this technique, which SharpHound3 (the crawler part of the BloodHound tool) uses when it is launched through the following configurations:
-
Using the default configuration.
-
Enabling all collection methods.
-
Enabling only the LocalAdmin collection method.
In addition to BloodHound, this IoA can detect other attack tools that use the same technique.
You should not have false positives (especially for Windows versions 2016+) because the IoA detection relies on the Sharphound implementation, which differs from the Microsoft library. For this reason, the IoA does not consider as an attack such normal behaviors as the Microsoft Management Console (MMC) and command line tools that remotely list the members of the local Administrators group.
The IoA's detection technique is different for systems running Windows versions earlier than 2012 R2, because Microsoft does not provide the required event for older systems. Tenable.ad provides another less robust algorithm and enables it by default for older systems. If required, you can disable this option in Tenable.ad.
Specific modifications to the environment
None. Tenable.ad adapts the audit policy to meet the needs of the required Windows event logs.
| Events auditing policy | ||||
|---|---|---|---|---|
| Provider Name | Channel | Event IDs | Audit Policies | Value |
| Microsoft-Windows-Security-Auditing | Security | 4799 |
├ Category: Account Management └─ Sub-category: Security Group Management |
Success |
| Microsoft-Windows-Security-Auditing | Security | 5145 |
├ Category: Object Access └─ Sub-category: Detailed File Share |
Success |
| Microsoft-Windows-Security-Auditing | Security | 4661 |
├ Category: Object Access └─ Sub-category: SAM + ├ Category: Object Access └─ Sub-category: Handle Manipulation |
Success |
| Other requirements | ||||
| Sysmon extension | No | |||
| Honey Account | No | |||
See also