Skip to content

404SecNotFound/Active-Directory-Pentest-Detection-Pack

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

20 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Active Directory Pentest Detection Pack

Sigma detection content that turns a real-world Active Directory attack cheat sheet into deployable SOC detections. Built attack-first: every rule maps to a technique an operator actually runs against your domain.

Rules ATT&CK Schema validate License Status


What this is

A curated, validated pack of 127 Sigma rules covering the full Active Directory attack chain, from unauthenticated reconnaissance through domain dominance and persistence. The content is derived from the esidate/pentesting-active-directory attack mindmap and then hardened through multiple adversarial review rounds plus an end-to-end technical audit with external source verification, spanning detection engineering, threat intelligence, adversary emulation, and SOC operations.

This is defensive content. It exists so blue teams can detect the exact tradecraft red teams and real intruders use against Active Directory.

The original attack mindmap that seeds this pack is included at docs/pentesting-active-directory-mindmap.pdf. Each detection traces back to a node on that map.

Why it is different

Most public AD rule sets are either tool-name signatures that die to a rename, or single-event rules that bury a SOC in false positives. This pack was audited specifically against those two failure modes:

  • Behaviour over names. Critical detections key on attacker behaviour (LSASS access patterns, Kerberos encryption downgrades, replication requests from non-DCs) rather than tool filenames that change with one Move-Item.
  • Honest fidelity labelling. Rules that cannot stand alone are marked informational and routed to hunting, not the alert queue. No rule pretends to be more than it is.
  • Tiered by telemetry. Core rules need only the Windows Security log. A Sysmon-enriched tier adds high-fidelity coverage. IDS-dependent rules are called out explicitly so nothing fails silently.
  • Documented blind spots. The residual gaps (in-memory tradecraft, direct-syscall dumping, recompiled tooling, deep ADCS ESC chains) are written down, not hidden.

Coverage at a glance

Tactic Representative detections
Reconnaissance / Discovery SMB null sessions, LDAP recon filters, Kerberos user enumeration, BloodHound (Windows and Linux ingestors), DNS SRV and zone transfer
Coercion and Relay PetitPotam, DFSCoerce, ShadowCoerce, Coercer, Responder, mitm6, ntlmrelayx, NTLM relay to LDAP
Credential Access Kerberoasting (RC4 and AES), AS-REP roasting, DCSync, LSASS dumping (procdump, comsvcs, MalSeclogon), NTDS.dit extraction, password spray (NTLM and Kerberos)
Privilege Escalation Zerologon, PrintNightmare, ADCS ESC abuse, SeImpersonate Potato, DnsAdmin, HiveNightmare
Lateral Movement PsExec, WMIExec, atexec, Evil-WinRM, Pass-the-Hash, Pass-the-Ticket, Overpass-the-Hash
Persistence and Trust Golden and Silver tickets, Skeleton Key, custom SSP, DCShadow, SID History, RBCD, S4U delegation abuse, krbtgt reset
Defense Evasion Renamed-tool PE metadata mismatch, process tampering, token impersonation

Full technique mapping is in rule_index.csv. 68 ATT&CK techniques across 11 tactics.

Repository structure

.
├── recon_discovery/      17 rules   reconnaissance and enumeration
├── coercion_relay/        9 rules   authentication coercion and NTLM relay
├── credential_access/    26 rules   credential theft and Kerberos abuse
├── lateral_movement/     12 rules   remote execution and ticket reuse
├── persistence/           8 rules   forged tickets and backdoors
├── trust_abuse/           7 rules   delegation, trusts, SID history, RBCD, dMSA
├── exploitation/         24 rules   CVEs and service abuse
├── acl_dacl_abuse/        4 rules   AD object DACL and delegation rights
├── sysmon_enriched/      11 rules   high-fidelity rules requiring Sysmon
├── runbooks/                        per-alert triage playbooks
├── exclusions/                      environment-specific allowlist templates
├── scripts/                         validate_pack.py, substitute.py
├── coverage/attack_matrix.md        generated ATT&CK coverage
├── docs/
│   ├── pentesting-active-directory-mindmap.pdf   source attack mindmap
│   ├── logrhythm_mapping.md         LogRhythm metadata field mapping
│   └── social-card.png
├── DEPLOYMENT.md                    setup and pre-deployment checklist
├── SOC_OPERATIONS.md                enrichment, field mappings, thresholds, routing
├── placeholders.yml                 environment-specific values to substitute
├── CHANGELOG.md · RELEASE_CHECKLIST.md · REFERENCES.md
├── rule_index.csv                   full machine-readable rule index
├── CONTRIBUTING.md · SECURITY.md · CODE_OF_CONDUCT.md · CITATION.cff
└── LICENSE

5-minute quickstart

git clone https://github.com/404SecNotFound/Active-Directory-Pentest-Detection-Pack.git
cd Active-Directory-Pentest-Detection-Pack
pip install pysigma pyyaml
python - <<'PY'
import glob, yaml
from sigma.collection import SigmaCollection
rule_dirs = ["recon_discovery","coercion_relay","credential_access","lateral_movement","persistence","trust_abuse","exploitation","acl_dacl_abuse","sysmon_enriched"]
files = sorted(f for d in rule_dirs for f in glob.glob(f"{d}/*.yml"))
col = SigmaCollection.from_yaml(yaml.dump_all([yaml.safe_load(open(f)) for f in files]))
col.resolve_rule_references()
print(f"{len(col)} rules loaded, references resolved")
PY

That loads and validates the whole pack in a few seconds. From there, convert to your platform with pySigma (see below) and deploy per DEPLOYMENT.md.

Validation status

The pack is validated in CI on every push and pull request (see the badge above). The checks are: YAML syntax, duplicate-key detection, pySigma collection load, correlation reference resolution, and duplicate rule ID detection.

Run the same checks locally:

pip install pysigma pyyaml
python3 scripts/validate_pack.py

ATT&CK coverage is generated in coverage/attack_matrix.md.

Why this pack is not like the others

  • Attack-chain story, not a scattered dump. Rules are organised by the tactic an operator runs, mirroring the source attack mindmap, so coverage gaps are visible.
  • Sigma 2.0, convert anywhere. Convert to whatever backend you run with pySigma; no platform lock-in.
  • Honest fidelity. Hunting-only rules are labelled informational and kept off the alert queue.
  • Operational, not just rules. Ships triage runbooks, exclusion templates, a SOC operations guide, and a pre-deployment checklist.

Convert to your platform

The Sigma YAML is the source of truth. The pack does not ship pre-built per-backend queries or saved searches; you generate those for your platform at deploy time.

Convert the rules to your SIEM with pySigma and the sigma-cli, installing the backend plugin for your platform.

Point the converter at the rule folders, not the repo root, so it does not try to parse the CI workflow as Sigma rules. RULES below is the nine tactic folders:

RULES="recon_discovery coercion_relay credential_access lateral_movement persistence trust_abuse exploitation acl_dacl_abuse sysmon_enriched"

pip install sigma-cli
pip install <the pySigma backend plugin for your SIEM>
sigma list targets          # see available backends
sigma convert -t <target> -p <pipeline> $RULES -o converted_rules.txt

Note: the 11 Sigma 2.0 correlation rules use the correlation: block and need backend-native correlation syntax; not every backend supports them. They are listed in CHANGELOG.md and their thresholds are in SOC_OPERATIONS.md section 6.

Validate the whole pack loads as one collection (correlation rules reference shared base rules):

from sigma.collection import SigmaCollection
import glob, yaml
docs = [yaml.safe_load(open(f)) for f in glob.glob("**/*.yml", recursive=True)]
col = SigmaCollection.from_yaml(yaml.dump_all(docs))
col.resolve_rule_references()
assert len(col) == 127

Before you deploy

Read DEPLOYMENT.md. It contains the five-item pre-deployment checklist, the audit subcategories and Sysmon events each tier needs, the logging dependencies that cause rules to fail silently if missing, and the full per-rule index.

The short version:

  1. Replace the five PLACEHOLDER_* filter values with your environment specifics.
  2. Enable the required Windows audit subcategories and, for the Sysmon tier, deploy a modern Sysmon config.
  3. Wire two field-comparison rules in your SIEM enrichment layer (Sigma cannot compare two fields).
  4. Baseline the correlation and hunting rules for two weeks before alerting.
  5. Route the 12 informational rules to a hunting queue, not the alert queue.

Tiering model

Tier Folder Telemetry required
Core all except sysmon_enriched/ Windows Security event log with the right audit subcategories
Sysmon enriched sysmon_enriched/ Sysmon v15+ (SwiftOnSecurity or Olaf Hartong baseline)
IDS dependent eternalblue, java_rmi, smbghost Suricata, Snort or Zeek signatures

Honest limitations

This pack raises the cost of an intrusion. It does not make Active Directory unbreakable, and it will not catch a top-tier operator on Sigma alone.

  • Recompiled offensive tools defeat metadata-based detection. Anchor on the behavioural rules.
  • In-memory, BOF and execute-assembly tradecraft produces no process or command-line telemetry.
  • Direct-syscall LSASS dumpers can present a clean call stack. Closing this needs EDR userland-hook telemetry.
  • ESC2/4/9/10/15 are covered via template-ACL change monitoring; ESC3/ESC5/ESC7 and the full ESC11-16 set are not individually covered yet.

Layer EDR telemetry on top for nation-state-grade coverage. See the roadmap below.

Roadmap

  • Remaining ADCS ESC paths (ESC3, ESC5, ESC7, ESC11-16).
  • EDR-tier rules for memory and handle-level telemetry that Sigma cannot reach.
  • Native correlation conversions for the 11 Sigma 2.0 correlation rules in each backend's correlation syntax.
  • SCCM Network Access Account and AdminService API abuse coverage.

Prior art and acknowledgements

This pack does not claim to invent AD attack detection. It is a focused, mindmap-driven complement to a deep body of community work. Its detection scope is derived from the esidate / Orange Cyberdefense AD pentest mindmap, translating that offensive attack chain into Sigma. The canonical SigmaHQ ruleset and mdecrevoisier/SIGMA-detection-rules already cover many of these techniques; where they overlap, this pack aims for tighter false-positive gating and end-to-end attack-chain coverage rather than novelty. The detection logic stands on foundational research from Sean Metcalf's adsecurity.org, The Hacker Recipes, SpecterOps' BloodHound and the MITRE ATT&CK taxonomy. The Sysmon tier assumes telemetry from Olaf Hartong's sysmon-modular or SwiftOnSecurity's sysmon-config; validate coverage with Atomic Red Team. Per-technique sources are in REFERENCES.md. Any errors are mine, not theirs.

Contributing

Issues and pull requests are welcome. New rules must pass pySigma collection load and reference resolution, carry an accurate ATT&CK mapping, and document false positives. See CONTRIBUTING.md.

Disclaimer

This content is for defensive security operations and authorised testing only. The attack techniques referenced are described to enable detection, not exploitation. Use only on systems you own or are explicitly authorised to defend.

License

Released under the MIT License.

Credits

Detection content authored and maintained by 404SecNotFound.

Source attack mindmap: esidate/pentesting-active-directory, itself based on the work of Mayfly and Orange Cyberdefense. All credit for the original attack-path research belongs to those authors. This project maps their offensive mindmap to defensive Sigma detections, aligned to MITRE ATT&CK and validated against the SigmaHQ schema.

About

127 team-reviewed Sigma rules detecting the full Active Directory attack chain: recon, coercion, credential access, lateral movement, persistence and trust abuse. Mapped to MITRE ATT&CK and validated against the SigmaHQ schema.

Topics

Resources

License

Code of conduct

Contributing

Security policy

Stars

3 stars

Watchers

0 watching

Forks

Packages

 
 
 

Contributors

Languages