Initial access detection focuses on the transition from unauthenticated network access to the first valid identity.
The strongest signals are correlation patterns, not one event in isolation.
Core Event IDs
| Technique | Primary Events | What To Look For |
|---|---|---|
| Network discovery | Firewall, Sysmon 3 | One host touching many AD ports |
| SMB null/Guest | 4624, 4625, 5140, 5145 | Anonymous or Guest SMB activity |
| RID cycling | 4661, 4662, 4776 | Repeated SAMR/LSARPC lookups |
| Username enumeration | 4768, 4771 | Many Kerberos requests for different users |
| Password spraying | 4625, 4771, 4776, 4624 | One password across many accounts |
| ASREP roasting | 4768 | Preauthentication type 0 or roastable accounts |
| LLMNR/NBT-NS poisoning | Sysmon 3, Sysmon 22, 4648, 4624 | Rogue name resolution and SMB/HTTP auth |
| Pre-2K computers | 4625, 4771, 4776 | Machine account auth attempts |
| Timeroasting | Network UDP/123, 4624 follow-up | Unusual NTP requests and machine account use |
Fast Hunting Questions
Ask:
Which host generated the activity?
Was it domain joined?
Was it expected to enumerate AD?
How many accounts were touched?
Did any attempt succeed?
Was a successful logon preceded by failures?
Did the same source later access SMB, LDAP, WinRM, RDP, or MSSQL?
Password Spray Hunt
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4625; StartTime=(Get-Date).AddHours(-2)} |
Select-Object TimeCreated, Id, ProviderName, Message
Look for:
same source
many usernames
same time window
few attempts per user
eventual success
ASREP Roast Hunt
On the DC:
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4768; StartTime=(Get-Date).AddHours(-2)} |
Where-Object { $_.Message -match 'Pre-Authentication Type:\\s+0' } |
Select-Object TimeCreated, Message
Then review which accounts have preauthentication disabled:
Get-ADUser -Filter * -Properties DoesNotRequirePreAuth |
Where-Object DoesNotRequirePreAuth -eq $true |
Select-Object SamAccountName,Enabled
SMB Guest And Share Hunt
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=5140; StartTime=(Get-Date).AddHours(-2)} |
Select-Object TimeCreated, Message
Look for:
Guest
ANONYMOUS LOGON
unexpected source IP
recursive access to shares
Poisoning Hunt
Look for:
LLMNR traffic
NBT-NS traffic
victims connecting to unexpected SMB listeners
mistyped UNC paths
WPAD requests
Responder or Inveigh execution
Packet capture filter:
udp.port == 5355 or udp.port == 137 or tcp.port == 445 or tcp.port == 80
Hardening Baseline
Apply:
Disable Guest access.
Restrict anonymous SMB/RPC enumeration.
Disable LLMNR.
Disable NBT-NS.
Enforce SMB signing.
Use MFA for remote access.
Monitor 4625, 4771, 4776, 4768, 5140, and 5145.
Remove accounts with preauthentication disabled.
Rotate service account passwords.
Audit file shares for secrets.
Response
When initial access activity is confirmed:
1. Identify source host.
2. Identify accounts targeted.
3. Identify successful credentials.
4. Disable or rotate affected accounts.
5. Review shares and files touched.
6. Review follow-on LDAP, SMB, WinRM, RDP, MSSQL, and Kerberos activity.
7. Preserve logs from DCs and affected endpoints.