Jun 20 2023

What Is Active Directory Monitoring and Why Is AD a Target for Hackers?

Step up your level of ransomware protection with AD monitoring tools which detect security breaches in credential repositories.

A key pillar of the shift to zero-trust architectures for cybersecurity is identity and access management. It’s crucial for organizations’ IT security teams to know who is on their networks and to verify that they are who they claim to be.

That’s with good reason: According to CrowdStrike’s 2023 Global Threat Report, 80 percent of cyberattacks used some form of identity-based techniques to “compromise legitimate credentials and try to evade detection.” The 2023 report notes that malicious actors are “doubling down on stolen credentials, with a 112 percent year-over-year increase in advertisements for access-broker services identified in the criminal underground.”

One key vector for cyberattacks is Microsoft’s Active Directory, or AD, which is a foundational directory service used by many organizations to define user permissions and to control which assets and networks they can access. If Active Directory is compromised, attackers can gain unauthorized access to a company’s data, experts say.

That’s why AD monitoring is crucial and why organizations should look to invest in anomaly detection tools to safeguard AD from attacks. Here’s everything you need to know about Active Directory monitoring and how it impacts zero-trust efforts in your organization.

Ransomware Sidebar


What Is Active Directory?

Active Directory is a directory service from Microsoft used in corporate settings to manage and store details about network resources, explains Lisa Plaggemier, executive director of the National Cybersecurity Alliance.

“These resources include users, computers, printers and services,” she says. “AD provides administrators a platform to organize these resources, regulate access and enforce security protocols.”

Jeff McJunkin, a principal instructor at the SANS Institute and founder of cybersecurity firm Rogue Valley Information Security, says thatthe vast majority of organizations” use AD for
“managing their computers, user accounts, group memberships within their environment and a lot of management of those users and computers and servers.”

What Is Active Directory Monitoring?

Active Directory monitoring, Plaggemier says, “is the process of vigilantly observing the health and security of the Active Directory environment.” Organizations may do this by tracking alterations to user privileges, identifying failed login attempts, observing for uncommon activity and guaranteeing optimal system performance, she says.

“The primary objective of AD monitoring is to uphold system integrity, availability and security,” Plaggemier adds.

AD monitoring often is not something that is set up by default, according to McJunkin. “But it turns out if an attacker inside your environment wants to gain control of a server, and you use Active Directory, that is very commonly the system they will abuse,” he says.

Watch to Learn More About Building Cyber Resilience



“If an attacker gains access to something like the built-in domain admins group, you will have a new group member in many cases, and monitoring would, as one easy example, let you know that, ‘Hey, look, there’s a new domain admin with a username of HackerHacker. We probably should have some alerts based upon that.’” 

Typically, however, that monitoring is not always active, McJunkin says, and organizations will only know that something is amiss if an attacker breaks production on AD or a staff member lodges a complaint. Then, IT security teams investigate.

AD monitoring tools let organizations know that changes are occurring to Active Directory, says Rob Clyde, board director for ISACA and executive chair of the board of directors for White Cloud Security. If AD monitoring is done well, it will include anomaly detection tools, Clyde says, to scan for strange details or changes that aren’t in the audit log and didn’t go through a normal process.

“But you could still tell from one point in time to the next that the change occurred,” he says. “How did that happen? It’s like making an accounting change without having it show up in a general ledger.”

Lisa Plaggemier
The primary objective of AD monitoring is to uphold system integrity, availability and security.”

Lisa Plaggemier Executive Director, National Cybersecurity Alliance

Why Is Active Directory a Target for Hackers?

When it comes to the centrality of AD, “the bad guys know this,” Clyde says.

“Ultimately, the goal for them, and probably the highest-value target, is the Active Directory administrators,” Clyde says. “Once a hacker can become that person, then they can actually change the Active Directory and add in a new account with all privileges or access whatever data they were after.”

Gaining access to the Active Directory system “can enable a malicious actor to compromise the entire network,” Plaggemier says.

“This could involve creating new user accounts with elevated privileges, altering existing accounts or even completely deleting accounts, leading to significant disruption in the organization’s operations,” she notes.

Active Directory can also serve as “a treasure trove “of information for hackers,” she says. The system often stores usernames, endpoint names, group memberships and other data, which attackers can extract from the system and leverage for future attacks.

“The complexity of Active Directory, while a strength, can also become a weakness because its highly configurable nature can make it challenging to sufficiently secure,” Plaggemier says. “Organizations lacking robust security practices could inadvertently leave vulnerabilities open for exploitation.”

Click the banner to learn how your organization can increase its ransomware recovery capabilities.

How to Safeguard Active Directory from Cyberattacks

There are many tools that organizations can use to guard against AD attacks, experts say. Clyde emphasizes the importance of XDR, or extended detection and response systems.

XDR offers a multilayer approach and includes endpoint and network detection tools that are correlated, he notes. “By adding those things, you’re going see malicious code, you’re going see people trying to obtain privileges,” he says. “You’re going to see people trying to do various types of attacks through the network to probe your network.”

Organizations also can look to tools that specifically monitor for changes in Active Directory. These tools typically use machine learning or statistical methods to establish a baseline of normal activity, then flag any actions that deviate from that, Plaggemier says.

One action in particular is user and entity behavior analytics, which focuses on detecting anomalous behavior by users or other entities in the system. These tools might flag things like multiple failed login attempts, unusual access patterns or changes to user privileges.

DISCOVER: How will AI affect cybersecurity in coming years?

Another technology that organizations can use is security information and event management, which aggregates log data from multiple sources, including Active Directory. This data can detect anomalies and generate alerts.

Further, companies can turn to network traffic analysis tools to monitor network traffic for signs of malicious activity, Plaggemier says. “While not specifically tied to Active Directory, they can help detect attacks that target the system,” she says.

Clyde recommends that organizations should think of it as a trade-off. If all possible privileges go through Active Directory, he says, “the beauty is that there’s one place to administer it, kind of ‘one ring to rule them all,’ which is the way Active Directory is normally put in.”

Still, “you may want to consider that certain types of things and certain admin functions actually don’t go through Active Directory,” he says. “That way, even if the AD administrator is compromised, the bad guys can’t get access to everything.”

SvetaZi/Getty Images

Learn from Your Peers

What can you glean about security from other IT pros? Check out new CDW research and insight from our experts.