Massive Computers Reconnaissance

This Indicator of Attack (IoA) detects reconnaissance attacks that generate a massive number of authentication requests to Active Directory (AD) computers. A common attack tool that attackers use is BloodHound, which this IoA can detect in most scenarios.

This IoA supports the following two cases:

An attacker using a domain-joined computer (for example a compromised machine after a phishing attack).
An attacker using a computer outside of the domain (for example a rogue computer connected to the network).

Detection Type	Related to a Common Vulnerabilities and Exposures (CVE)	Available from Tenable.ad version
Behavioral	No	3.14

How the attack works

This IoA focuses on massive authentication requests originating from specific attack tools. In particular, when an attacker uses SharpHound3 (the crawler part of BloodHound), this tool calls some Remote Procedure Call (RPC) functions on all domain machines with a DNS name that resolves and which it can reach via SMB on TCP/445. As a result, the attacker account must authenticate to these computers before it can proceed. This leads to a large number of authentication requests in a short period of time, which triggers this IoA.

In addition to BloodHound, this IoA can detect other attack tools that exhibit a similar behavior.

How the IoA works

Tenable.ad triggers this IoA when it finds a dedicated pattern in a combination of the following conditions: (Default behavior that you can modify through the IoA options.)

Volumetry: During a 1-hour window, if there are authentication requests for more than 10% of the total number of computers in the AD (with a fixed limit of 300 computers).
Source: The requests all come from the same machine IP and domain account.
Diversity: The requests target different domain computers.

Note: Because various domain controllers can answer authentication requests, Tenable.ad aggregates the events from all domain controllers and does the calculation on the sum.

Tenable.ad filters out the same attack during a 15-minute period to limit the number of security alerts. Examples:

If an attacker launches the same attack multiple times during those 15 minutes, Tenable.ad only raises one alert with this IoA.
If an attack takes one hour to complete, Tenable.ad triggers four alerts to remind you that the attack is still in progress.

Note: Tenable.ad offers several configuration options for this IoA. You may need to adapt them depending on the size of each monitored domain (the number of domain-joined computers) to have the fastest possible detection without getting false-positives.

Note: In some situations, this IoA triggers at the same time as the Enumeration of Local Administrators IoA. This is expected because they do not cover exactly the same cases.

Specific modifications to the environment

To analyze NTLM authentication requests, the IoA script automatically configures the policy settings on your domain controllers through the Tenable.ad Group Policy Object (GPO), as follows:

Location of the setting	Security policy setting	Value
Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options	Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers	Audit all
	Network security: Restrict NTLM: Audit NTLM authentication in this domain	Enable all
	Network security: Restrict NTLM: Audit Incoming NTLM Traffic	Enable auditing for all accounts

Events Auditing Policy

Provider Name	Channel	Event IDs	Audit Policies	Value
Microsoft-Windows-Security-Netlogon	Microsoft-Windows-NTLM/Operational	8004	Configuration through a dedicated log, enabled by security policy settings.	N/A
Microsoft-Windows-Security-Auditing	Security	4624	├ Category: Logon/Logoff └─ Sub-category: Logon	Success
Microsoft-Windows-Security-Auditing	Security	4769	├ Category: Account Logon └─ Sub-category: Kerberos Service Ticket Operations	Success
			Note: You can modify the options in bold.
Other requirements
Sysmon extension	No
Honey Account	No