What Is Active Directory Security Monitoring?
Active Directory is the most targeted infrastructure component in enterprise environments โ yet it is also one of the least monitored. Most organizations generate Windows Security events from Domain Controllers but lack the correlation, alerting, and baseline analysis needed to detect attacks in progress.
Security monitoring in AD is not about collecting logs โ it is about knowing which events matter, what normal looks like, and when something deviates. Without this, every attack described in this blog โ Kerberoasting, Golden Tickets, DCSync, ADCS abuse โ proceeds undetected until the damage is done.
This article covers the essential audit policy configuration, the critical event IDs to monitor, and how to build detection logic that catches real attacks without alert fatigue.
How It Works
Windows Security auditing is controlled by Advanced Audit Policy settings deployed via Group Policy. By default, most audit categories are not enabled or are configured at a minimum level that misses critical events.
The audit pipeline:
- Advanced Audit Policy enables event generation for specific activity categories
- Windows Event Log stores events locally (Security log)
- WEF (Windows Event Forwarding) or a SIEM agent ships events to a central collection point
- SIEM correlation rules detect patterns and fire alerts
The most common failure is step 1: audit policy is not configured, so critical events like object access, privilege use, and directory service changes never fire โ even if everything else is in place.
The Attack Chain (What Goes Undetected Without Monitoring)
Without proper monitoring, attackers operate freely:
DCSync โ No Audit Policy
Without Audit Directory Service Access enabled, event 4662 never fires. A full DCSync dumping all domain hashes leaves no trace in the Security log.
Golden Ticket โ No Anomaly Detection
Event 4768 fires for every TGT request โ but without baselining normal Kerberos traffic, a forged ticket with a 10-year lifetime and a non-existent username blends in with thousands of legitimate requests.
Lateral Movement โ No Logon Tracking
Without Audit Logon Events and network logon correlation, Pass-the-Hash and Pass-the-Ticket movement across the domain is invisible.
Privilege Escalation โ No Group Change Alerts
Without alerting on 4728/4732/4756, adding a backdoor account to Domain Admins generates no notification.
Detection
Essential Audit Policy Configuration
Deploy via GPO: Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration
| Category | Subcategory | Setting | Key Events |
|---|---|---|---|
| Account Logon | Kerberos Authentication | Success/Failure | 4768, 4769, 4771 |
| Account Management | User/Group Account Management | Success/Failure | 4720, 4728, 4732, 4738 |
| DS Access | Directory Service Access | Success | 4662 |
| DS Access | Directory Service Changes | Success | 5136, 5137, 5141 |
| Logon/Logoff | Logon | Success/Failure | 4624, 4625, 4648 |
| Privilege Use | Sensitive Privilege Use | Success | 4672 |
| Policy Change | Audit Policy Change | Success | 4719 |
| Object Access | Certification Services | Success/Failure | 4886, 4887 |
Critical Event IDs Reference
| Event ID | Category | Alert Priority | What It Detects |
|---|---|---|---|
| 4662 | DS Access | CRITICAL | DCSync, replication rights abuse |
| 4768 | Kerberos | HIGH | Golden Ticket (anomalous attributes) |
| 4769 | Kerberos | HIGH | Kerberoasting (RC4 encryption) |
| 4771 | Kerberos | MEDIUM | Pre-auth failure โ spray indicator |
| 4728/4756 | Group Mgmt | CRITICAL | Privileged group membership change |
| 4720 | Account Mgmt | HIGH | New account created |
| 4738 | Account Mgmt | MEDIUM | Account modified (PasswordNeverExpires, etc.) |
| 5136 | DS Changes | HIGH | GPO or AD object modified |
| 4887 | Cert Services | HIGH | Certificate issued โ ADCS abuse |
| 4624 (Type 3) | Logon | MEDIUM | Network logon โ lateral movement |
| 4672 | Privilege | HIGH | Special privileges assigned |
SIEM Detection Queries (Elastic KQL)
DCSync detection:
event.code: "4662" AND
winlog.event_data.Properties: ("*1131f6ad*" OR "*1131f6aa*") AND
NOT winlog.event_data.SubjectUserName: ("*$")
Kerberoasting detection:
event.code: "4769" AND
winlog.event_data.TicketEncryptionType: "0x17" AND
NOT winlog.event_data.ServiceName: ("krbtgt" OR "*$")
Golden Ticket anomaly:
event.code: "4768" AND
winlog.event_data.TicketOptions: "0x40810010" AND
winlog.event_data.PreAuthType: "0"
Privileged group change:
event.code: ("4728" OR "4732" OR "4756") AND
winlog.event_data.TargetUserName: ("Domain Admins" OR "Enterprise Admins" OR "Schema Admins")
๐ก Tip: Start with 5-10 high-confidence, low-noise detections rather than enabling every possible alert. DCSync, privileged group changes, and Kerberoasting detections have near-zero false positive rates when tuned correctly.
Remediation
๐ก Quick Win: Enable
Audit Directory Service ChangesandAudit Directory Service Accesson all Domain Controllers immediately. These two subcategories catch the majority of critical AD attacks.
1. Deploy Advanced Audit Policy via GPO
# Verify current audit policy on a DC
auditpol /get /category:*
# Set critical subcategories
auditpol /set /subcategory:"Directory Service Changes" /success:enable
auditpol /set /subcategory:"Directory Service Access" /success:enable
auditpol /set /subcategory:"Kerberos Authentication Service" /success:enable /failure:enable
auditpol /set /subcategory:"Kerberos Service Ticket Operations" /success:enable /failure:enable
auditpol /set /subcategory:"Security Group Management" /success:enable
auditpol /set /subcategory:"Certification Services" /success:enable /failure:enable
2. Increase Security Log Size
The default Security log size (20MB) fills in hours on a busy DC. Increase to at least 1GB:
# Set Security log to 1GB with archive-when-full retention
wevtutil sl Security /ms:1073741824 /rt:false /ab:true
Or via GPO: Computer Configuration > Windows Settings > Security Settings > Event Log > Maximum security log size = 1048576 KB
3. Implement Windows Event Forwarding
Forward DC Security events to a central Windows Event Collector:
# On collector: enable WinRM and configure subscription
winrm quickconfig
wecutil cs subscription.xml
# On source DCs: configure to forward to collector
gpupdate /force
4. Establish Kerberos and Logon Baselines
# Count TGT requests per hour baseline (run over 1 week)
Get-WinEvent -ComputerName DC01 -FilterHashtable @{LogName='Security'; Id=4768} |
Group-Object {$_.TimeCreated.Hour} |
Select-Object Name, Count |
Sort-Object Name
Use the baseline to tune anomaly detection thresholds in your SIEM.
How EtcSec Detects This
EtcSec checks your audit policy configuration as part of every AD scan, identifying gaps that would leave critical attacks undetected.
Monitoring-related checks flag Domain Controllers with insufficient audit policy coverage, missing log forwarding configuration, and Security log sizes too small to retain meaningful history.
These findings appear in the Monitoring category of every EtcSec report, with specific recommendations for the subcategories and event IDs needed to detect each vulnerability class that EtcSec identifies in your environment.
โน๏ธ Note: EtcSec audits your security monitoring posture alongside your AD configuration. Run a free audit to see what attacks your current logging would miss.
Related articles: Golden Ticket Attack | ACL Abuse and DCSync | ADCS Certificate Attacks
