Active Directory Attack Detection Matrix
| Technique | Primary Logs | Critical Event IDs | Key Detection Signal | Typical Tool |
|---|---|---|---|---|
| Kerberoasting | Security | 4769 | High volume TGS requests | Rubeus |
| ASREP Roasting | Security | 4768 | AS-REQ without preauth | GetNPUsers |
| Timeroasting | Security | 4769 | Timing analysis anomalies | Custom tooling |
| LSASS Dumping | Sysmon / Security | 10 / 4688 | LSASS handle access | Mimikatz |
| SAM Dumping | Security | 4663 | SAM hive read | secretsdump |
| LSA Secrets | Security | 4663 | SECURITY hive access | secretsdump |
| NTDS Dumping | Security | 4662 | NTDS replication | ntdsutil |
| DCSync | Security | 4662 | Replication rights abuse | Mimikatz |
| DCShadow | Security | 5137 | Rogue DC registration | mimikatz |
| Unconstrained Delegation | Security | 4769 | TGT forwarding | Rubeus |
| Constrained Delegation | Security | 4769 | S4U2Proxy usage | Rubeus |
| RBCD | Security | 5136 | msDS-AllowedToActOnBehalfOf | Powermad |
| NTLM Relay | Security | 4624 | NTLM logons | ntlmrelayx |
| Kerberos Relay | Security | 4769 | Kerberos relay attempts | krbrelayx |
| LDAP Relay | Security | 4662 | LDAP object modification | ntlmrelayx |
| SMB Relay | Security | 5140 | ADMIN$ share access | ntlmrelayx |
| Golden Certificate | Security | 4886 | Certificate misuse | Certipy |
| ADCS ESC1 | Security | 4887 | Misconfigured template | Certipy |
| ADCS ESC2 | Security | 4887 | SAN abuse | Certipy |
| ADCS ESC3 | Security | 4887 | Enrollment agent abuse | Certipy |
| ADCS ESC4 | Security | 4887 | Certificate mapping abuse | Certipy |
| Golden Ticket | Security | 4769 | Forged TGT usage | Mimikatz |
| Silver Ticket | Security | 4769 | Forged service ticket | Mimikatz |
| Pass the Hash | Security | 4624 | NTLM authentication | CrackMapExec |
| Pass the Ticket | Security | 4769 | Ticket reuse | Rubeus |
| Overpass the Hash | Security | 4768 | NTLM → Kerberos | Mimikatz |
| GenericAll Abuse | Security | 5136 | ACL modification | PowerView |
| WriteDACL Abuse | Security | 5136 | DACL changes | PowerView |
| Shadow Credentials | Security | 5136 | KeyCredentialLink set | Whisker |
| LAPS Abuse | Security | 4662 | LAPS password read | CrackMapExec |
| GMSA Extraction | Security | 4662 | gMSA password retrieval | gMSADumper |
| GPP Passwords | File access | SYSVOL read | cpassword retrieval | PowerSploit |
| LDAP Enumeration | Security | 4662 | LDAP queries | ldapsearch |
| SMB Enumeration | Security | 5140 | Share enumeration | smbclient |
| RID Cycling | Security | 4624 | Sequential RID queries | enum4linux |
| Password Spraying | Security | 4625 | Failed logons across accounts | CrackMapExec |
| SPN Enumeration | Security | 4662 | servicePrincipalName queries | PowerView |
| Domain Trust Enumeration | Security | 4662 | trustedDomain queries | nltest |
| DNS Enumeration | DNS logs | DNS queries | zone discovery | dnsrecon |
| BloodHound Collection | Sysmon | 1 | SharpHound execution | SharpHound |
| Printer Bug | Security | 4624 | Forced auth | SpoolSample |
| PetitPotam | Security | 4624 | EFSRPC coercion | PetitPotam |
| DFSCoerce | Security | 4624 | DFS RPC coercion | DFSCoerce |
| ShadowCoerce | Security | 4624 | MS-FSRVP coercion | ShadowCoerce |
| ADIDNS Poisoning | DNS | DNS writes | malicious record | Powermad |
| DNSAdmins DLL | Security | 7045 | DNS service abuse | dnscmd |
| DNS Zone Transfer | DNS | AXFR | unauthorized zone transfer | dig |
| xp_cmdshell | SQL logs | xp_cmdshell execution | OS command execution | sqlcmd |
| Linked Server Abuse | SQL logs | remote execution | lateral SQL pivot | PowerUpSQL |
| Golden SAML | ADFS logs | token issuance | forged SAML | ADFSDump |
| GPO Modification | Security | 5136 | GPO change | PowerView |
| GPO Creation | Security | 5137 | new GPO created | SharpGPO |
| GPO Link Abuse | Security | 5136 | GPO link change | PowerView |
| SYSVOL Tampering | File logs | SYSVOL writes | malicious script | manual |
| SMBExec | Security | 7045 | service install | impacket |
| WMIExec | Sysmon | 1 | wmiprvse spawning shell | impacket |
| PsExec | Security | 7045 | PSEXESVC service | Sysinternals |
| DCOMExec | Sysmon | 1 | dllhost spawning shell | impacket |
| WinRM Exec | WinRM logs | 91 | remote PS session | Evil-WinRM |