Sigma detection content that turns a real-world Active Directory attack cheat sheet into deployable SOC detections. Built attack-first: every rule maps to a technique an operator actually runs against your domain.
A curated, validated pack of 127 Sigma rules covering the full Active Directory attack chain, from unauthenticated reconnaissance through domain dominance and persistence. The content is derived from the esidate/pentesting-active-directory attack mindmap and then hardened through multiple adversarial review rounds plus an end-to-end technical audit with external source verification, spanning detection engineering, threat intelligence, adversary emulation, and SOC operations.
This is defensive content. It exists so blue teams can detect the exact tradecraft red teams and real intruders use against Active Directory.
The original attack mindmap that seeds this pack is included at docs/pentesting-active-directory-mindmap.pdf. Each detection traces back to a node on that map.
Most public AD rule sets are either tool-name signatures that die to a rename, or single-event rules that bury a SOC in false positives. This pack was audited specifically against those two failure modes:
- Behaviour over names. Critical detections key on attacker behaviour (LSASS access patterns, Kerberos encryption downgrades, replication requests from non-DCs) rather than tool filenames that change with one
Move-Item. - Honest fidelity labelling. Rules that cannot stand alone are marked
informationaland routed to hunting, not the alert queue. No rule pretends to be more than it is. - Tiered by telemetry. Core rules need only the Windows Security log. A Sysmon-enriched tier adds high-fidelity coverage. IDS-dependent rules are called out explicitly so nothing fails silently.
- Documented blind spots. The residual gaps (in-memory tradecraft, direct-syscall dumping, recompiled tooling, deep ADCS ESC chains) are written down, not hidden.
| Tactic | Representative detections |
|---|---|
| Reconnaissance / Discovery | SMB null sessions, LDAP recon filters, Kerberos user enumeration, BloodHound (Windows and Linux ingestors), DNS SRV and zone transfer |
| Coercion and Relay | PetitPotam, DFSCoerce, ShadowCoerce, Coercer, Responder, mitm6, ntlmrelayx, NTLM relay to LDAP |
| Credential Access | Kerberoasting (RC4 and AES), AS-REP roasting, DCSync, LSASS dumping (procdump, comsvcs, MalSeclogon), NTDS.dit extraction, password spray (NTLM and Kerberos) |
| Privilege Escalation | Zerologon, PrintNightmare, ADCS ESC abuse, SeImpersonate Potato, DnsAdmin, HiveNightmare |
| Lateral Movement | PsExec, WMIExec, atexec, Evil-WinRM, Pass-the-Hash, Pass-the-Ticket, Overpass-the-Hash |
| Persistence and Trust | Golden and Silver tickets, Skeleton Key, custom SSP, DCShadow, SID History, RBCD, S4U delegation abuse, krbtgt reset |
| Defense Evasion | Renamed-tool PE metadata mismatch, process tampering, token impersonation |
Full technique mapping is in rule_index.csv. 68 ATT&CK techniques across 11 tactics.
.
├── recon_discovery/ 17 rules reconnaissance and enumeration
├── coercion_relay/ 9 rules authentication coercion and NTLM relay
├── credential_access/ 26 rules credential theft and Kerberos abuse
├── lateral_movement/ 12 rules remote execution and ticket reuse
├── persistence/ 8 rules forged tickets and backdoors
├── trust_abuse/ 7 rules delegation, trusts, SID history, RBCD, dMSA
├── exploitation/ 24 rules CVEs and service abuse
├── acl_dacl_abuse/ 4 rules AD object DACL and delegation rights
├── sysmon_enriched/ 11 rules high-fidelity rules requiring Sysmon
├── runbooks/ per-alert triage playbooks
├── exclusions/ environment-specific allowlist templates
├── scripts/ validate_pack.py, substitute.py
├── coverage/attack_matrix.md generated ATT&CK coverage
├── docs/
│ ├── pentesting-active-directory-mindmap.pdf source attack mindmap
│ ├── logrhythm_mapping.md LogRhythm metadata field mapping
│ └── social-card.png
├── DEPLOYMENT.md setup and pre-deployment checklist
├── SOC_OPERATIONS.md enrichment, field mappings, thresholds, routing
├── placeholders.yml environment-specific values to substitute
├── CHANGELOG.md · RELEASE_CHECKLIST.md · REFERENCES.md
├── rule_index.csv full machine-readable rule index
├── CONTRIBUTING.md · SECURITY.md · CODE_OF_CONDUCT.md · CITATION.cff
└── LICENSE
git clone https://github.com/404SecNotFound/Active-Directory-Pentest-Detection-Pack.git
cd Active-Directory-Pentest-Detection-Pack
pip install pysigma pyyaml
python - <<'PY'
import glob, yaml
from sigma.collection import SigmaCollection
rule_dirs = ["recon_discovery","coercion_relay","credential_access","lateral_movement","persistence","trust_abuse","exploitation","acl_dacl_abuse","sysmon_enriched"]
files = sorted(f for d in rule_dirs for f in glob.glob(f"{d}/*.yml"))
col = SigmaCollection.from_yaml(yaml.dump_all([yaml.safe_load(open(f)) for f in files]))
col.resolve_rule_references()
print(f"{len(col)} rules loaded, references resolved")
PYThat loads and validates the whole pack in a few seconds. From there, convert to your platform with pySigma (see below) and deploy per DEPLOYMENT.md.
The pack is validated in CI on every push and pull request (see the badge above). The checks are: YAML syntax, duplicate-key detection, pySigma collection load, correlation reference resolution, and duplicate rule ID detection.
Run the same checks locally:
pip install pysigma pyyaml
python3 scripts/validate_pack.pyATT&CK coverage is generated in coverage/attack_matrix.md.
- Attack-chain story, not a scattered dump. Rules are organised by the tactic an operator runs, mirroring the source attack mindmap, so coverage gaps are visible.
- Sigma 2.0, convert anywhere. Convert to whatever backend you run with pySigma; no platform lock-in.
- Honest fidelity. Hunting-only rules are labelled
informationaland kept off the alert queue. - Operational, not just rules. Ships triage runbooks, exclusion templates, a SOC operations guide, and a pre-deployment checklist.
The Sigma YAML is the source of truth. The pack does not ship pre-built per-backend queries or saved searches; you generate those for your platform at deploy time.
Convert the rules to your SIEM with
pySigma and the sigma-cli, installing the
backend plugin for your platform.
Point the converter at the rule folders, not the repo root, so it does not try to parse the CI workflow as Sigma rules. RULES below is the nine tactic folders:
RULES="recon_discovery coercion_relay credential_access lateral_movement persistence trust_abuse exploitation acl_dacl_abuse sysmon_enriched"
pip install sigma-cli
pip install <the pySigma backend plugin for your SIEM>
sigma list targets # see available backends
sigma convert -t <target> -p <pipeline> $RULES -o converted_rules.txtNote: the 11 Sigma 2.0 correlation rules use the correlation: block and need backend-native correlation syntax; not every backend supports them. They are listed in CHANGELOG.md and their thresholds are in SOC_OPERATIONS.md section 6.
Validate the whole pack loads as one collection (correlation rules reference shared base rules):
from sigma.collection import SigmaCollection
import glob, yaml
docs = [yaml.safe_load(open(f)) for f in glob.glob("**/*.yml", recursive=True)]
col = SigmaCollection.from_yaml(yaml.dump_all(docs))
col.resolve_rule_references()
assert len(col) == 127Read DEPLOYMENT.md. It contains the five-item pre-deployment checklist, the audit subcategories and Sysmon events each tier needs, the logging dependencies that cause rules to fail silently if missing, and the full per-rule index.
The short version:
- Replace the five
PLACEHOLDER_*filter values with your environment specifics. - Enable the required Windows audit subcategories and, for the Sysmon tier, deploy a modern Sysmon config.
- Wire two field-comparison rules in your SIEM enrichment layer (Sigma cannot compare two fields).
- Baseline the correlation and hunting rules for two weeks before alerting.
- Route the 12
informationalrules to a hunting queue, not the alert queue.
| Tier | Folder | Telemetry required |
|---|---|---|
| Core | all except sysmon_enriched/ |
Windows Security event log with the right audit subcategories |
| Sysmon enriched | sysmon_enriched/ |
Sysmon v15+ (SwiftOnSecurity or Olaf Hartong baseline) |
| IDS dependent | eternalblue, java_rmi, smbghost |
Suricata, Snort or Zeek signatures |
This pack raises the cost of an intrusion. It does not make Active Directory unbreakable, and it will not catch a top-tier operator on Sigma alone.
- Recompiled offensive tools defeat metadata-based detection. Anchor on the behavioural rules.
- In-memory, BOF and execute-assembly tradecraft produces no process or command-line telemetry.
- Direct-syscall LSASS dumpers can present a clean call stack. Closing this needs EDR userland-hook telemetry.
- ESC2/4/9/10/15 are covered via template-ACL change monitoring; ESC3/ESC5/ESC7 and the full ESC11-16 set are not individually covered yet.
Layer EDR telemetry on top for nation-state-grade coverage. See the roadmap below.
- Remaining ADCS ESC paths (ESC3, ESC5, ESC7, ESC11-16).
- EDR-tier rules for memory and handle-level telemetry that Sigma cannot reach.
- Native correlation conversions for the 11 Sigma 2.0 correlation rules in each backend's correlation syntax.
- SCCM Network Access Account and AdminService API abuse coverage.
This pack does not claim to invent AD attack detection. It is a focused, mindmap-driven complement to a deep body of community work. Its detection scope is derived from the esidate / Orange Cyberdefense AD pentest mindmap, translating that offensive attack chain into Sigma. The canonical SigmaHQ ruleset and mdecrevoisier/SIGMA-detection-rules already cover many of these techniques; where they overlap, this pack aims for tighter false-positive gating and end-to-end attack-chain coverage rather than novelty. The detection logic stands on foundational research from Sean Metcalf's adsecurity.org, The Hacker Recipes, SpecterOps' BloodHound and the MITRE ATT&CK taxonomy. The Sysmon tier assumes telemetry from Olaf Hartong's sysmon-modular or SwiftOnSecurity's sysmon-config; validate coverage with Atomic Red Team. Per-technique sources are in REFERENCES.md. Any errors are mine, not theirs.
Issues and pull requests are welcome. New rules must pass pySigma collection load and reference resolution, carry an accurate ATT&CK mapping, and document false positives. See CONTRIBUTING.md.
This content is for defensive security operations and authorised testing only. The attack techniques referenced are described to enable detection, not exploitation. Use only on systems you own or are explicitly authorised to defend.
Released under the MIT License.
Detection content authored and maintained by 404SecNotFound.
Source attack mindmap: esidate/pentesting-active-directory, itself based on the work of Mayfly and Orange Cyberdefense. All credit for the original attack-path research belongs to those authors. This project maps their offensive mindmap to defensive Sigma detections, aligned to MITRE ATT&CK and validated against the SigmaHQ schema.