Operator On The Wire
← Back to Knowledge Base
OOTW / Chapter IV - Active Directory / 01. Initial Access

Response

Initial access detection focuses on the transition from unauthenticated network access to the first valid identity.

The strongest signals are correlation patterns, not one event in isolation.


Core Event IDs

TechniquePrimary EventsWhat To Look For
Network discoveryFirewall, Sysmon 3One host touching many AD ports
SMB null/Guest4624, 4625, 5140, 5145Anonymous or Guest SMB activity
RID cycling4661, 4662, 4776Repeated SAMR/LSARPC lookups
Username enumeration4768, 4771Many Kerberos requests for different users
Password spraying4625, 4771, 4776, 4624One password across many accounts
ASREP roasting4768Preauthentication type 0 or roastable accounts
LLMNR/NBT-NS poisoningSysmon 3, Sysmon 22, 4648, 4624Rogue name resolution and SMB/HTTP auth
Pre-2K computers4625, 4771, 4776Machine account auth attempts
TimeroastingNetwork UDP/123, 4624 follow-upUnusual NTP requests and machine account use

Fast Hunting Questions

Ask:

Which host generated the activity?
Was it domain joined?
Was it expected to enumerate AD?
How many accounts were touched?
Did any attempt succeed?
Was a successful logon preceded by failures?
Did the same source later access SMB, LDAP, WinRM, RDP, or MSSQL?

Password Spray Hunt

Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4625; StartTime=(Get-Date).AddHours(-2)} |
    Select-Object TimeCreated, Id, ProviderName, Message

Look for:

same source
many usernames
same time window
few attempts per user
eventual success

ASREP Roast Hunt

On the DC:

Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4768; StartTime=(Get-Date).AddHours(-2)} |
    Where-Object { $_.Message -match 'Pre-Authentication Type:\\s+0' } |
    Select-Object TimeCreated, Message

Then review which accounts have preauthentication disabled:

Get-ADUser -Filter * -Properties DoesNotRequirePreAuth |
    Where-Object DoesNotRequirePreAuth -eq $true |
    Select-Object SamAccountName,Enabled

SMB Guest And Share Hunt

Get-WinEvent -FilterHashtable @{LogName='Security'; Id=5140; StartTime=(Get-Date).AddHours(-2)} |
    Select-Object TimeCreated, Message

Look for:

Guest
ANONYMOUS LOGON
unexpected source IP
recursive access to shares

Poisoning Hunt

Look for:

LLMNR traffic
NBT-NS traffic
victims connecting to unexpected SMB listeners
mistyped UNC paths
WPAD requests
Responder or Inveigh execution

Packet capture filter:

udp.port == 5355 or udp.port == 137 or tcp.port == 445 or tcp.port == 80

Hardening Baseline

Apply:

Disable Guest access.
Restrict anonymous SMB/RPC enumeration.
Disable LLMNR.
Disable NBT-NS.
Enforce SMB signing.
Use MFA for remote access.
Monitor 4625, 4771, 4776, 4768, 5140, and 5145.
Remove accounts with preauthentication disabled.
Rotate service account passwords.
Audit file shares for secrets.

Response

When initial access activity is confirmed:

1. Identify source host.
2. Identify accounts targeted.
3. Identify successful credentials.
4. Disable or rotate affected accounts.
5. Review shares and files touched.
6. Review follow-on LDAP, SMB, WinRM, RDP, MSSQL, and Kerberos activity.
7. Preserve logs from DCs and affected endpoints.