Massive Computers Reconnaissance
This Indicator of Attack (IoA) detects reconnaissance attacks that generate a massive number of authentication requests to Active Directory (AD) computers. A common attack tool that attackers use is BloodHound, which this IoA can detect in most scenarios.
This IoA supports the following two cases:
An attacker using a domain-joined computer (for example a compromised machine after a phishing attack).
An attacker using a computer outside of the domain (for example a rogue computer connected to the network).
|Detection Type||Related to a Common Vulnerabilities and Exposures (CVE)||Available from Tenable.ad version|
How the attack works
This IoA focuses on massive authentication requests originating from specific attack tools. In particular, when an attacker uses SharpHound3 (the crawler part of BloodHound), this tool calls some Remote Procedure Call (RPC) functions on all domain machines with a DNS name that resolves and which it can reach via SMB on TCP/445. As a result, the attacker account must authenticate to these computers before it can proceed. This leads to a large number of authentication requests in a short period of time, which triggers this IoA.
In addition to BloodHound, this IoA can detect other attack tools that exhibit a similar behavior.
How the IoA works
Tenable.ad triggers this IoA when it finds a dedicated pattern in a combination of the following conditions: (Default behavior that you can modify through the IoA options.)
Volumetry: During a 1-hour window, if there are authentication requests for more than 10% of the total number of computers in the AD (with a fixed limit of 300 computers).
Source: The requests all come from the same machine IP and domain account.
Diversity: The requests target different domain computers.
Note: Because various domain controllers can answer authentication requests, Tenable.ad aggregates the events from all domain controllers and does the calculation on the sum.
Tenable.ad filters out the same attack during a 15-minute period to limit the number of security alerts. Examples:
If an attacker launches the same attack multiple times during those 15 minutes, Tenable.ad only raises one alert with this IoA.
If an attack takes one hour to complete, Tenable.ad triggers four alerts to remind you that the attack is still in progress.
Specific modifications to the environment
To analyze NTLM authentication requests, the IoA script automatically configures the policy settings on your domain controllers through the Tenable.ad Group Policy Object (GPO), as follows:
|Location of the setting||Security policy setting||Value|
|Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options||Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers||Audit all|
|Network security: Restrict NTLM: Audit NTLM authentication in this domain||Enable all|
|Network security: Restrict NTLM: Audit Incoming NTLM Traffic||Enable auditing for all accounts|
Events Auditing Policy