This chapter covers Domain Controller (DC) and Active Directory (AD) monitoring, a critical skill for the SC-200 exam. You will learn how to detect and investigate attacks targeting AD, such as DCSync, Golden Ticket, and Kerberoasting. Approximately 15-20% of exam questions relate to AD security monitoring, often requiring you to identify attack patterns from Microsoft Defender for Identity alerts. Mastery of DC monitoring is essential for any security operations analyst.
Jump to a section
Think of a domain controller (DC) as the manager of a bank vault. The vault contains all the safety deposit boxes (user accounts, groups, computers). The manager has a master key (the KRBTGT hash) to open any box. Every time an employee (user) wants to access their box, they present their ID card (password hash) to the manager. The manager verifies the ID against the vault's records, then issues a temporary pass (Kerberos ticket) that allows access to only that specific box for a limited time. If someone tries to use a forged ID, the manager logs the attempt and sounds an alarm. The manager also keeps a log of every box opened, by whom, and when. If an attacker steals the master key, they can open every box in the vault. Monitoring the manager's activities—like unusual requests for master key copies or after-hours access—is critical. In a network, the DC is the vault manager; Active Directory is the vault; Kerberos tickets are the temporary passes; security logs are the audit trail. Attackers often target the DC to steal the master key (DCSync attack) or to forge tickets (Golden Ticket attack).
What is Domain Controller and Active Directory Monitoring?
Domain Controller and Active Directory (AD) monitoring involves collecting and analyzing security events from domain controllers to detect malicious activities. AD is the identity store for Windows networks, storing user accounts, groups, computers, and policies. Domain controllers authenticate users and enforce security policies. Attackers target AD to gain persistence, escalate privileges, or move laterally. Monitoring focuses on detecting anomalies in authentication, replication, and privilege usage.
Why Monitor Domain Controllers?
Domain controllers are the most sensitive servers in a Windows domain. Compromise of a DC gives an attacker control over the entire domain. Common AD attacks include: - DCSync: An attacker impersonates a domain controller and requests replication of password hashes from another DC. - Golden Ticket: An attacker forges a Kerberos Ticket Granting Ticket (TGT) using the KRBTGT account hash. - Silver Ticket: An attacker forges a service ticket for a specific service. - Kerberoasting: An attacker requests a service ticket for a service account and cracks its password offline. - Pass-the-Hash (PtH): An attacker uses an NTLM hash to authenticate without knowing the password. - Overpass-the-Hash: An attacker uses an NTLM hash to request a Kerberos TGT. - Skeleton Key: An attacker injects a backdoor into a DC that allows authentication with any password.
Key Components of AD Monitoring
#### Windows Event Logs
Domain controllers generate critical security events. The most important event IDs for AD monitoring include:
Event ID 4624: An account was successfully logged on. Sub-status codes indicate logon type (2=interactive, 3=network, 10=remote interactive).
Event ID 4625: An account failed to log on. High failure counts may indicate password spraying.
Event ID 4672: Special privileges assigned to new logon. Indicates use of administrative privileges.
Event ID 4768: A Kerberos authentication ticket (TGT) was requested. Unusual service names or user accounts may indicate Kerberoasting.
Event ID 4769: A Kerberos service ticket was requested. Used for Kerberoasting detection.
Event ID 4776: The domain controller attempted to validate credentials for an account. Used for NTLM authentication.
Event ID 5136: A directory service object was modified. Key for detecting changes to sensitive AD objects.
Event ID 4662: An operation was performed on an object. Used for auditing access to high-value objects.
Event ID 7045: A new service was installed. May indicate persistence mechanisms.
#### Advanced Audit Policies
To capture relevant events, you must configure advanced audit policies on domain controllers. Key policies include:
Audit Kerberos Authentication Service: Logs TGT requests (Event 4768).
Audit Kerberos Service Ticket Operations: Logs service ticket requests (Event 4769).
Audit Logon: Logs logon events (4624, 4625).
Audit Special Logon: Logs use of special privileges (4672).
Audit Directory Service Access: Logs access to AD objects (4662).
Audit Directory Service Changes: Logs modifications to AD objects (5136).
You can configure these via Group Policy under Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies.
#### Microsoft Defender for Identity (MDI)
MDI is a cloud-based security solution that monitors on-premises AD traffic using sensors installed on domain controllers. It detects suspicious activities such as:
DCSync attack: MDI detects when a non-DC machine requests replication.
Golden Ticket attack: MDI detects forged TGTs by analyzing ticket validity periods and anomalies.
Skeleton Key: MDI detects modifications to LSASS memory.
Pass-the-Hash: MDI detects use of NTLM hashes in authentication.
Brute-force attacks: MDI detects multiple failed logon attempts.
MDI alerts are integrated into Microsoft 365 Defender, providing a unified view of threats.
How DCSync Attack Works (Detailed)
DCSync is a technique used by attackers to extract password hashes from a domain controller. The attacker uses a tool like Mimikatz to impersonate a domain controller and request replication of password data using the Directory Replication Service (DRS) Remote Protocol (MS-DRSR).
Steps:
1. The attacker gains administrative privileges on a machine that can communicate with a DC.
2. The attacker runs Mimikatz with the lsadump::dcsync command, specifying the target domain and user.
3. Mimikatz sends a DRSGetNCChanges request to the DC, impersonating a domain controller.
4. The DC responds with the requested password hashes (NTLM and Kerberos hashes).
Detection: Event ID 4662 with Object Type domainDNS and Access Mask 0x100 (Control Access) on the DS-Replication-Get-Changes extended right. Also, MDI alert "Directory Service Replication Request" is generated.
How Golden Ticket Attack Works (Detailed)
A Golden Ticket attack involves forging a Kerberos TGT using the KRBTGT account hash. The attacker extracts the KRBTGT hash from a compromised DC, then creates a fake TGT with arbitrary user and group memberships.
Steps:
1. Attacker compromises a DC and extracts the KRBTGT hash using Mimikatz (lsadump::dcsync /user:krbtgt).
2. Attacker forges a TGT using Mimikatz kerberos::golden command, specifying user (e.g., Administrator), domain SID, and KRBTGT hash.
3. The forged TGT is injected into memory and used to request service tickets.
4. The attacker gains access to any resource in the domain.
Detection: Event ID 4768 with unusual ticket options (e.g., forwardable flag set), or Event ID 4672 for logon with special privileges. MDI detects Golden Tickets by analyzing ticket validity periods (forged tickets often have long lifetimes) and anomalies in ticket issuance.
How Kerberoasting Works (Detailed)
Kerberoasting is an attack where an attacker requests a Kerberos service ticket for a service account (with SPN) and then cracks the ticket offline to recover the account's password.
Steps:
1. Attacker enumerates service accounts with SPNs using tools like setspn -T domain -Q */*.
2. Attacker requests a TGS for the service account using a tool like Rubeus or GetUserSPNs.
3. The DC returns a TGS encrypted with the service account's NTLM hash.
4. Attacker extracts the TGS and cracks the hash offline (e.g., using Hashcat).
Detection: Event ID 4769 with RC4 encryption type (0x17) for service tickets. A single user requesting multiple TGSs for different service accounts is suspicious. MDI alert "Kerberos Service Ticket Request" may indicate Kerberoasting.
Configuration for AD Monitoring
#### Enable Advanced Audit Policy
Use Group Policy Management Console (GPMC) to create a GPO linked to the Domain Controllers OU. Configure the following audit policies:
Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies
- Account Logon > Audit Kerberos Authentication Service: Success and Failure
- Account Logon > Audit Kerberos Service Ticket Operations: Success and Failure
- Account Logon > Audit Credential Validation: Success and Failure
- Logon/Logoff > Audit Logon: Success and Failure
- Logon/Logoff > Audit Special Logon: Success and Failure
- Object Access > Audit Directory Service Access: Success and Failure
- Object Access > Audit Directory Service Changes: Success and Failure#### Enable SACL for Sensitive AD Objects
To audit access to sensitive objects like the AdminSDHolder container, you can set a System Access Control List (SACL) using ADSI Edit. For example, to audit modifications to the Domain Admins group:
Open ADSI Edit > right-click the Domain Admins group > Properties > Security > Advanced > Auditing > Add > Select Principal 'Everyone' > Type 'All' > Permissions 'Write all properties' > OK.#### Deploy Microsoft Defender for Identity
MDI sensors are installed on domain controllers. The sensor captures network traffic and Windows events. Configuration steps: 1. In Microsoft 365 Defender, navigate to Settings > Identities > Data sources. 2. Download the sensor installer and install on each DC. 3. Configure the sensor to communicate with the MDI cloud service. 4. Verify sensor health in the MDI console.
Key Timers and Values
Kerberos ticket lifetime: Default TGT lifetime is 10 hours (configurable via domain policy). Forged tickets often have longer lifetimes (e.g., 10 years).
KRBTGT password change: The KRBTGT account password is changed automatically every time a DC is promoted. However, it is rarely changed manually. Best practice is to reset KRBTGT password twice after a compromise.
DCSync replication timeout: DRS replication requests have a default timeout of 5 minutes. Multiple rapid replication requests may indicate an attack.
Event log retention: Security logs should be forwarded to a SIEM like Microsoft Sentinel to prevent overwriting.
Interaction with Related Technologies
Microsoft Sentinel: Collects Windows Security Events from DCs, correlates with other data sources, and provides built-in analytics rules for AD attacks.
Microsoft 365 Defender: Integrates MDI alerts with Defender for Endpoint and Defender for Cloud Apps to provide a unified incident.
Azure AD Connect: Synchronizes on-premises AD with Azure AD. Monitoring sync events can detect account takeovers.
Common Detection Queries for Sentinel
// DCSync Detection
SecurityEvent
| where EventID == 4662
| where ObjectType == "domainDNS"
| where AccessMask == "0x100"
| where AdditionalInfo contains "DS-Replication-Get-Changes"
| project TimeGenerated, Account, Computer, ObjectName// Kerberoasting Detection
SecurityEvent
| where EventID == 4769
| where TicketEncryptionType == "0x17" // RC4
| where ServiceName != "krbtgt"
| summarize Count = dcount(ServiceName) by Account, Computer, bin(TimeGenerated, 1h)
| where Count > 10// Golden Ticket Detection - Unusual TGT Lifetime
SecurityEvent
| where EventID == 4768
| where TicketOptions contains "forwardable"
| extend Lifetime = datetime_diff('second', TicketEndTime, TicketStartTime)
| where Lifetime > 36000 // > 10 hoursEnable Advanced Audit Policies
Use Group Policy Management Console to create a GPO for Domain Controllers. Configure Audit Kerberos Authentication Service, Audit Kerberos Service Ticket Operations, Audit Logon, Audit Special Logon, Audit Directory Service Access, and Audit Directory Service Changes. Set both Success and Failure auditing. This ensures all relevant events are logged. Without these policies, critical events like DCSync (Event 4662) and Kerberoasting (Event 4769) will not be captured. Apply the GPO to the Domain Controllers OU and force a gpupdate on DCs.
Deploy Microsoft Defender for Identity Sensor
Download the MDI sensor from Microsoft 365 Defender portal. Install it on each domain controller. The sensor captures network traffic (port mirroring or network TAP) and reads Windows Event Logs. It sends parsed events to the MDI cloud service. Ensure the sensor can communicate with *.atp.azure.com and *.azureedge.net. Verify sensor health in the MDI console. MDI provides real-time detection of AD attacks like DCSync, Golden Ticket, and Skeleton Key.
Forward Security Events to Sentinel
Use the Windows Security Events connector in Microsoft Sentinel to collect events from domain controllers. You can use the Azure Monitor Agent (AMA) or legacy Log Analytics agent. Configure data collection rules to include Event IDs 4624, 4625, 4672, 4768, 4769, 4776, 4662, 5136, and 7045. Enable the UEBA feature for user entity behavior analytics. This allows Sentinel to baseline normal behavior and detect anomalies like unusual logon times or locations.
Create Analytic Rules for AD Attacks
In Sentinel, create scheduled query rules for DCSync, Kerberoasting, and Golden Ticket detection. For DCSync, use Event 4662 with Access Mask 0x100. For Kerberoasting, use Event 4769 with RC4 encryption (0x17) and high count of unique service names per user. For Golden Ticket, use Event 4768 with ticket lifetime > 10 hours. Set alert severity based on the attack. Test rules with simulated attacks using tools like Mimikatz in a lab environment.
Monitor and Investigate Alerts
When an alert fires, investigate by checking the affected user/computer, time, and source IP. Use the incident management in Microsoft 365 Defender to correlate alerts from MDI, Defender for Endpoint, and Sentinel. For DCSync, check if the source computer is a domain controller. If not, it is malicious. For Golden Ticket, check if the ticket has unusual lifetime or is issued to a privileged account. For Kerberoasting, check if the requesting user is a service account. Contain the threat by disabling the compromised account or isolating the machine.
Enterprise Scenario 1: Large Financial Institution
A global bank with 50,000 users and 200 domain controllers deployed MDI across all DCs. They configured advanced audit policies to capture all AD changes. One day, MDI alerted on a DCSync attack from a non-DC server in a remote branch. The attacker had compromised a local admin account and used Mimikatz to replicate password hashes. The SOC isolated the server and reset the KRBTGT password twice (to invalidate any forged tickets). They also rotated all domain admin passwords. The key learning: MDI detection was critical because the attack used legitimate replication protocols, which traditional antivirus missed.
Enterprise Scenario 2: Healthcare Organization
A hospital with 10,000 users and 30 DCs experienced a Kerberoasting attack. The attacker used a low-privilege account to enumerate SPNs and request TGS tickets for 50 service accounts. The SOC detected the attack via Sentinel analytic rule that flagged a single user requesting more than 10 TGS tickets with RC4 encryption in an hour. The rule had a threshold of 10; without it, the attack would have gone unnoticed. The attacker cracked three service account passwords offline and used them to access patient records. The hospital implemented strong service account passwords and disabled RC4 encryption for Kerberos (set Network security: Configure encryption types allowed for Kerberos to AES only).
Enterprise Scenario 3: Government Agency
A government agency with 100,000 users and 500 DCs suffered a Golden Ticket attack. The attacker compromised a DC via an unpatched vulnerability (EternalBlue) and extracted the KRBTGT hash. They forged a TGT for a domain admin account with a 10-year lifetime. The forged ticket was used to access classified data. Detection came from MDI, which flagged a TGT with an abnormally long lifetime (10 years vs default 10 hours). The agency reset the KRBTGT password twice and implemented additional monitoring for TGT lifetime anomalies. They also enforced smart card authentication for all privileged accounts. The lesson: Golden Tickets can only be detected through behavioral analysis, not signature-based detection.
SC-200 Exam Focus: Domain Controller and Active Directory Monitoring
This topic is covered under Exam Objective 1.2: Configure and manage Microsoft Defender for Identity and Objective 1.3: Monitor and investigate threats using Microsoft 365 Defender. Expect 3-5 questions specifically on AD monitoring. The exam tests your ability to identify attack types from event IDs and MDI alerts.
Common Wrong Answers and Why
1. Question: Which event ID indicates a DCSync attack? - Wrong answer: Event 4768 (TGT request). Candidates confuse DCSync with Kerberos attacks. - Correct: Event 4662 with Access Mask 0x100 on domainDNS object.
2. Question: Which MDI alert detects Golden Ticket attacks? - Wrong answer: "Suspicious service ticket request" (that's Kerberoasting). - Correct: "Suspicious Kerberos authentication ticket request" or "Abnormal TGT lifetime".
3. Question: How to detect Kerberoasting? - Wrong answer: High number of failed logons (Event 4625). Kerberoasting does not cause failures; it uses successful TGS requests. - Correct: Event 4769 with RC4 encryption (0x17) and multiple unique service names per user.
4. Question: What is the best defense against DCSync? - Wrong answer: Disable replication. That breaks AD. - Correct: Protect privileged accounts (e.g., Domain Admins) and monitor for replication requests from non-DCs.
Specific Numbers and Terms on Exam
Event IDs: 4662 (DCSync), 4768 (TGT request), 4769 (TGS request), 4672 (special logon), 4776 (NTLM validation).
Access Mask: 0x100 for DCSync (Control Access).
Encryption Type: 0x17 for RC4 (Kerberoasting).
TGT Lifetime: Default 10 hours; anything longer is suspicious.
MDI Sensor: Installed on domain controllers; captures network and event log data.
KRBTGT: Account used to encrypt TGTs; must be reset twice after compromise.
Edge Cases and Exceptions
DCSync from a domain controller: Legitimate replication between DCs uses the same protocol. MDI alerts only when a non-DC machine makes the request.
Kerberos ticket options: Legitimate TGTs have forwardable flag set; forged tickets often have unusual options like proxiable or renewable.
Service accounts: Kerberoasting targets accounts with SPNs (servicePrincipalName attribute). Not all service accounts have SPNs.
RC4 vs AES: If domain is configured to use only AES encryption, Kerberoasting becomes harder because AES tickets are more difficult to crack. The exam may ask about encryption type downgrade attacks.
How to Eliminate Wrong Answers
If a question mentions "replication" and "password hash extraction", think DCSync (Event 4662).
If a question mentions "forged ticket" and "KRBTGT", think Golden Ticket.
If a question mentions "service ticket" and "crack offline", think Kerberoasting.
If a question mentions "NTLM hash" and "pass-the-hash", think lateral movement.
Use the underlying mechanism: DCSync is a replication request; Golden Ticket is a forged TGT; Kerberoasting is a TGS request for cracking.
DCSync is detected by Event 4662 with Access Mask 0x100 on a domainDNS object; MDI alerts on replication requests from non-DCs.
Golden Ticket is detected by Event 4768 with TGT lifetime > 10 hours or unusual ticket options; MDI analyzes ticket validity periods.
Kerberoasting is detected by Event 4769 with RC4 encryption type (0x17) and multiple unique service names per user.
Microsoft Defender for Identity sensors must be installed on domain controllers; they capture network traffic and Windows events.
Advanced audit policies must be configured on DCs to capture relevant events; use GPO to enable Audit Kerberos, Logon, and Directory Service Access.
KRBTGT password must be reset twice (with a 10-hour interval) after a compromise to invalidate forged Golden Tickets.
Service accounts with SPNs are vulnerable to Kerberoasting; use strong passwords and disable RC4 encryption if possible.
Sentinel analytic rules can be created using KQL to detect DCSync, Golden Ticket, and Kerberoasting patterns.
MDI alerts are integrated into Microsoft 365 Defender for unified incident investigation.
Common wrong answer on exam: confusing Event 4768 (TGT) with DCSync detection (Event 4662).
These come up on the exam all the time. Here's how to tell them apart.
DCSync
Extracts password hashes via replication (DRSGetNCChanges).
Detected via Event 4662 with Access Mask 0x100.
Requires administrative privileges on a machine that can replicate.
Attacker gets NTLM and Kerberos hashes for offline cracking.
MDI alert: 'Directory Service Replication Request from non-DC'.
Golden Ticket
Forges a TGT using KRBTGT hash.
Detected via Event 4768 with abnormal ticket lifetime or options.
Requires KRBTGT hash (from DC compromise).
Attacker gains persistent access to any resource.
MDI alert: 'Suspicious Kerberos authentication ticket request'.
Mistake
DCSync attack is detected by Event 4768 (Kerberos TGT request).
Correct
DCSync is detected by Event 4662 with Access Mask 0x100 on a domainDNS object. Event 4768 is for TGT requests, which are not directly related to replication.
Mistake
Golden Ticket attacks can be prevented by regularly changing the KRBTGT password once.
Correct
Changing KRBTGT password once is insufficient because the old hash may still be cached. Best practice is to reset the KRBTGT password twice (with a 10-hour interval) to ensure all existing tickets are invalidated.
Mistake
Kerberoasting requires the attacker to have administrative privileges.
Correct
Kerberoasting can be performed by any authenticated user in the domain. The attacker only needs to know the service account's SPN, which can be enumerated by any domain user.
Mistake
Microsoft Defender for Identity sensors must be installed on all domain controllers to detect attacks.
Correct
While best practice is to install on all DCs, MDI can detect attacks even if only one DC has a sensor, because replication traffic and authentication requests are visible network-wide.
Mistake
Event ID 4625 (failed logon) is the primary indicator of a password spraying attack.
Correct
Password spraying often uses valid credentials for a few accounts, so failed logons may be low. Better indicators are Event 4776 (NTLM validation failures) and Event 4768 (TGT failures) with unusual patterns.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
DCSync and DCSBack are both replication-based attacks. DCSync uses the DRSGetNCChanges method to replicate password hashes. DCSBack uses the backup API (NTDS Backup) to extract the NTDS.dit file. DCSync is more common and detected by Event 4662. DCSBack may not generate Event 4662 but can be detected via Event 5136 (directory service object modification) on backup-related objects. On the exam, focus on DCSync.
If the attacker sets a short TGT lifetime (e.g., 1 hour) to evade detection, you can still detect it using MDI's anomaly detection. MDI compares ticket issuance patterns to baseline user behavior. For example, if a user who never logs on from a particular workstation suddenly requests a TGT from it, that is suspicious. Also, forged tickets may have unusual ticket options (e.g., renewable, proxiable) that differ from normal tickets. Event 4768 with unusual flags can be a clue.
The default TGT lifetime is 10 hours (configurable via domain policy). It is important because Golden Ticket attacks often set the lifetime to years (e.g., 10 years). Detecting a TGT with a lifetime > 10 hours is a strong indicator of a forged ticket. However, attackers can set it to 10 hours to blend in. Therefore, combine lifetime analysis with other anomalies like unusual logon locations or times.
Use Group Policy Management Console. Create a GPO linked to the Domain Controllers OU. Navigate to Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies. Enable 'Audit Kerberos Authentication Service' (Success and Failure), 'Audit Kerberos Service Ticket Operations', 'Audit Logon', 'Audit Special Logon', 'Audit Directory Service Access', and 'Audit Directory Service Changes'. Apply the GPO and run gpupdate /force on DCs.
The KRBTGT account is a built-in account that encrypts all TGTs in the domain. Its password hash is used to sign and encrypt TGTs. If an attacker obtains the KRBTGT hash, they can forge TGTs (Golden Ticket). The KRBTGT password is automatically changed when a DC is promoted, but it is rarely changed manually. After a compromise, reset it twice to invalidate any forged tickets.
Yes, but it is harder. AES-encrypted tickets are more difficult to crack offline compared to RC4. However, attackers can request RC4 tickets if the service account supports RC4 (by setting the encryption type in the request). If the domain enforces AES-only, Kerberoasting becomes less effective. Detection still relies on Event 4769 with RC4 encryption type (0x17). If AES only is used, the event will show AES encryption types (0x12 or 0x18).
Open the incident in Microsoft 365 Defender. Review the MDI alert 'Directory Service Replication Request from non-DC'. Check the source account and computer. Verify if the source computer is a domain controller. If not, it is malicious. Look at the timeline for related events like logon events (Event 4624) on the source computer. Contain by disabling the source account and isolating the machine. Reset the KRBTGT password twice and rotate all privileged account passwords.
You've just covered Domain Controller and Active Directory Monitoring — now see how well it sticks with free SC-200 practice questions. Full explanations included, no account needed.
Done with this chapter?