IR on Active Directory
AD is a vital component of Windows-based environments and manages users, security policies, and roles. It is a common target by attackers seeking to get a persistent grip on an IT environment. Commonly, the attackers will try to get to AD to create new user accounts, change the passwords of compromised accounts, or elevate the privileges of accounts that they have access to. Getting full visibility of AD is essential and there are several tools, such as Netwrix Auditor, that can help admins gain a full view of activities in AD.
Types of Active Directory incidents
There are five main types of incidents that have to be handled on AD.
Handling user account changes
Admins will identify this incident when they find unauthorized modifications of an AD user account. The first step will be to find out:
- Who performed the modifications?
- When were the modifications made?
- What modifications were made?
- Which domains were affected...