AD Security Event Monitoring
Windows Security Event Logs are the primary detection mechanism for AD attacks — knowing which Event IDs to monitor and what patterns to look for is the difference between catching an attack in progress and discovering it months later.
Every Domain Controller generates security events: who logged in, what they accessed, what changed. These events are your primary detection tool. The challenge is knowing which events matter. Event ID 4768 (TGT request) with PreAuthType 0 means AS-REP Roasting. Event ID 4769 (service ticket request) with RC4 encryption means likely Kerberoasting. Event ID 4662 (directory access) with replication GUIDs from a non-DC account means DCSync. Event ID 5136 (object modification) on sensitive attributes means potential persistence. By monitoring these key events and creating alerts for suspicious patterns, you can detect most AD attacks within minutes instead of discovering them during a breach investigation months later.
A casino does not just have cameras — it has trained operators who know exactly what to watch for: a dealer's hand signal, a chip placement pattern, a player visiting specific tables in sequence. The cameras record everything, but detection comes from knowing which patterns matter. AD event monitoring works the same way: the domain generates thousands of events per minute, but a trained defender watching Event IDs 4662, 4768, 4769, and 5136 can spot DCSync, Golden Tickets, Kerberoasting, and object tampering in real time.
Try It Yourself
Key Takeaways
- Enable Advanced Audit Policy on all DCs — the default audit settings miss most attacks.
- Key Event IDs: 4768/4769 (Kerberos), 4662 (DCSync), 5136 (object changes), 4625 (failed logons), 7045 (services).
- Pattern detection matters more than individual events: one 4769 with RC4 is noise, but 50 in a minute is Kerberoasting.
- Forward DC logs to a SIEM — attackers with DC access can clear local event logs.
- PowerShell transcription and Script Block Logging capture attacker tool execution.
You cannot defend what you cannot see. AD event monitoring is the foundation of attack detection — without it, attackers operate undetected for an average of 200+ days before discovery.