Active Directory Security Monitoring with Splunk, Sysmon, and MITRE ATT&CK Detection

Listen to this Post

Featured Image
Implementing a robust Active Directory (AD) monitoring setup is critical for detecting and mitigating cyber threats. This guide demonstrates how to integrate Splunk, Sysmon, and MITRE ATT&CK for comprehensive detection coverage.

You Should Know:

  1. Centralizing Windows Event Logging with Splunk Universal Forwarder
    To forward Windows Event Logs to Splunk, install the Splunk Universal Forwarder and configure inputs:
 Install Splunk Universal Forwarder
msiexec /i splunkforwarder-x64.msi AGREETOLICENSE=Yes /quiet

Configure inputs.conf for Windows Event Logs
Add-Content -Path "$SPLUNK_HOME\etc\system\local\inputs.conf" -Value @"
[WinEventLog://Security]
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
"@

Restart Splunk Forwarder
Restart-Service SplunkForwarder

2. Enhancing Visibility with Sysmon

Use a custom Sysmon XML configuration to monitor process creation, network connections, and file modifications:

<Sysmon schemaversion="4.90">
<EventFiltering>
<ProcessCreate onmatch="exclude">
<Image condition="is">C:\Windows\System32\svchost.exe</Image>
</ProcessCreate>
<NetworkConnect onmatch="include">
<DestinationPort condition="is">445</DestinationPort>
</NetworkConnect>
</EventFiltering>
</Sysmon>

Install Sysmon with:

sysmon.exe -accepteula -i sysmonconfig.xml

3. Detecting Brute Force Attacks (Event ID 4625)

Splunk query to detect failed logins:

index=wineventlog EventCode=4625 Account_Name!="$" 
| stats count by Account_Name, src_ip 
| where count > 5

4. Detecting PowerShell Execution (T1059.001)

Splunk query for suspicious PowerShell activity:

index=wineventlog EventCode=4104 
| search "ScriptBlockText"=Invoke-Mimikatz OR DownloadString

5. Testing Detections with Atomic Red Team

Simulate attacks to validate detections:

 Brute Force Simulation
Invoke-AtomicTest T1110 -TestNumbers 1

PowerShell Execution Simulation
Invoke-AtomicTest T1059.001 -TestNumbers 1,2

6. Building Custom Alerts in Splunk

Create an alert for suspicious AD modifications:

index=wineventlog EventCode=5136 
| search "ObjectClass"="user" AND "AttributeLDAPDisplayName"="userAccountControl"

What Undercode Say:

A well-configured AD monitoring system with Splunk + Sysmon + MITRE ATT&CK provides deep visibility into threats like lateral movement, credential dumping, and persistence. Automating detection rules and testing them with Atomic Red Team ensures resilience against real-world attacks.

Expected Output:

  • Centralized Windows logs in Splunk
  • Enhanced process & network tracking via Sysmon
  • Detect brute force, PowerShell exploits, and AD changes
  • Validated detections through Atomic Red Team

Prediction:

As attackers evolve, integrating behavioral analytics with Splunk will become essential for detecting stealthy AD attacks.

URL: Active Directory Security Monitoring with Splunk, Sysmon, and MITRE ATT&CK Detection

References:

Reported By: Patrick Bareiss – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram