Track and Remediate Malicious AD Changes

Active Directory Change Auditing & Rollback

Audit and remediate malicious changes in Active Directory and Azure Active Directory.

Stop fast-moving Active Directory attacks

Sophisticated ransomware-as-a-service (RaaS) groups are targeting Active Directory, the core identity service for 90% of organizations worldwide, with attacks that move through networks with astonishing speed. To stop attacks, organizations need to track malicious changes in real-time and swiftly roll back changes.

Semperis report:
73%
of organizations are NOT confident they could prevent Azure AD attacks
Pen testers succeed in compromising AD in
82%
of their attempts, according to Enterprise Management Associates
Microsoft Digital Defense Report:
1 hour, 42 minutes
the median time for an attacker to begin moving laterally after device compromise
7 minutes
The time it took for the 2017 NotPetya attack to cripple the Maersk network; recovering Active Directory took 9 days

Defend AD with advanced change auditing and remediation

Auditing and remediating malicious changes in Active Directory requires solutions that are purpose-built to address sophisticated attacks that target both on-prem AD and Azure AD. The first step is to implement monitoring tools that can detect changes across the hybrid AD environment, including user account modifications, Group Policy changes, and changes to domain controllers (DCs). These tools can also provide visibility into who made the changes and when they occurred. Once changes have been detected, you need to respond quickly and accurately. In many cases, attacks move through networks too fast for human intervention so having automated remediation in place is critical.

eyeball icon
Monitor

Continuously monitor AD and Azure AD for malicious changes.

Audit

Audit changes that move through the AD infrastructure.

checklist icon
Remediate

Roll back malicious changes in on-prem AD and Azure AD.

Tracking changes across AD and Azure AD

Azure AD security paradigm is different

Many organizations are embracing hybrid identity environments, implementing both on-premises Active Directory and Azure AD. Although the flexibility of hybrid identity environments brings huge benefits, this approach also comes with increased risk. Just as with on-prem AD, Azure AD has its weaknesses, and the hybrid mix creates additional opportunities for the attackers. As with the Kaseya and SolarWinds breaches, cybercriminals are exploiting security weaknesses in hybrid identity systems by gaining entry in the cloud and moving to the on-premises system—or vice versa. Auditing and remediating malicious changes in Azure AD requires a completely different approach from on-premises AD security management.

  • New authentication model means that familiar concepts such as forests and Group Policy Objects no longer apply in the Azure AD environment.
  • Decisions such as whether to merge on-prem AD and Azure AD with Azure Connect can have significant security consequences.
  • The notion of the traditional network perimeter doesn’t exist in Azure AD, so IT and security teams need to defend against an endless array of potential entry points.
  • Shifting to Azure AD brings significant changes to the permissions model: In a hybrid AD environment, identities are stored in the cloud, potentially vulnerable to attacks similar to the SolarWinds and Kaseya attacks.
  • Lack of visibility into potentially malicious changes across the hybrid AD environment can compromise security.
Learn More
Auditing Azure AD and on-prem AD changes is difficult

Lack of visibility across the hybrid AD environment means that attacks could enter through Azure AD and move to on-prem AD, or vice versa. Organizations need solutions that will help them audit and remediate attacks whether they originate in the cloud or in the on-premises identity environment.

  • Single view of changes across Azure AD and on-prem AD can shine a light on attacks that move through the environment.
  • Real-time Azure AD change auditing can help monitor malicious changes.
  • Ability to roll back changes in both on-prem AD and Azure AD helps respond to fast-moving attacks in the hybrid AD environment.
Learn more

Auditing AD changes that bypass SIEMs

Advanced attacks can evade tracking

Having the ability to spot attackers entering, moving about, or worse—administering—your identity system is key to a swift response. Given the lengthy dwell time for malware, it’s evident that cyber criminals are very good at working in stealth. To spot advanced attacks that evade log- or event-based systems, you need a solution that uses different tactics to track AD and Azure AD security threats.

  • Uses multiple data sources, including the AD replication stream, to audit changes such as Group Policy changes, changes to group memberships of Domain Admins, and other changes that elude many monitoring system.
  • Uses tamperproof tracking to capture changes even if security logging is turned off, logs are deleted, agents are disabled or stop working, or changes are injected directly into AD.
  • Offers forensic analysis to identify suspicious changes, isolate changes made by compromised accounts, and track down other sources and details of incidents.
  • Provide real-time notifications as operational and security-related changes happen to AD.
Learn more

Remediate malicious AD and Azure AD changes

Stopping AD attacks requires swift action

AD-related cyberattacks can paralyze business operations in minutes. To stop attacks, organizations need solutions that offer automated remediation of unwanted changes.

  • Automated rollback of malicious changes stops attacks that move through networks too fast for human intervention.
  • Instant find-and-fix search capabilities help organizations address unwanted AD object and attribute changes in minutes.
  • Granular rollback capabilities help IT and security teams undo changes to individual attributes, group members, objects, and containers to any point in time.
Our mission resonates with industry leaders
Gartner Peer Insights

We have lots of changes happening to our Active Directory environment, adding Linux servers, etc… [Directory Services Protector] helps us monitor and revert dangerous changes with one button click.

Read review IT Team Member, Enterprise Organization
El Al Israel Airlines

Semperis offers superior technology, and their Directory Services Protector is a tremendous asset for any company that uses Active Directory.

Learn more Chen Amran Deputy Director of Infrastructure & Communication, El Al Airlines
Healthcare

We use Directory Services Protector to alert us on Group Policy changes. It has allowed us to implement stronger internal change control and improvement processes to prevent rogue IT activities that might be convenient to us but are not secure.

Chief Technology Officer Orthopedic Specialty Medical Practice
Gartner Peer Insights

Directory Services Protector is exceptional with reporting, real-time monitoring and remediation, active reporting and instant notifications when objects are modified or changed.

Read review Senior Windows Systems Administrator Enterprise Organization

Frequently asked questions about AD change auditing and rollback

What is Active Directory auditing?

Active Directory auditing is the process of monitoring AD for vulnerabilities and common configuration and management mishaps that can open the door to security compromises. Many organizations have legacy AD environments with dozens or hundreds of misconfigurations that have accumulated over time. Because of limited resources and a lack of AD skillsets on staff, continuously auditing AD and Azure AD for security gaps is often overlooked. Cyber criminals know that many common AD security gaps go unaddressed, making AD the #1 cyberattack target: Mandiant researchers report that 9 out of 10 attacks involved AD in some way. To understand the AD security vulnerabilities in your organization,  download Purple Knight, a free AD security assessment tool that scans the AD environment for hundreds of Indicators of Exposure (IOEs) and Compromise (IOCs), provides an overall security score, and provides prioritized remediation guidance from AD security experts.

How do you audit Group Policy changes?

Auditing Group Policy changes is a critical part of hardening Active Directory security and is challenging because traditional event-based monitoring solutions typically don’t include details on changes within a Group Policy. As an example, if an attacker makes a malicious change with Ryuk ransomware, the only signal will be that an account with access to the Group Policy made a change, which probably won’t trigger an alert. To catch malicious changes to Group Policy, you need a solution that uses multiple sources of data, including the AD replication stream, for additional context that will indicate a potential attack in progress. To gain an understanding of security gaps in your AD related to Group Policy misconfigurations, download Purple Knight, a free AD security assessment tool that scans the AD environment for hundreds of Indicators of Exposure (IOEs) and Compromise (IOCs). Purple Knight scans for several Group Policy misconfigurations, including SYSVOL executable changes, GPO linking delegation at the at the AD site level, and reversible passwords found in GPOs. 

How do I track changes in Active Directory?

To track changes in Active Directory, you need to continuously monitor the AD environment for Indicators of Exposure (IOEs) and Compromise (IOCs) related to Active Directory account security, AD delegation, Group Policy, Kerberos, Azure AD security, and AD infrastructure security. Ransomware groups are constantly developing new methods of compromising AD, which is the primary identity store for 90% of organizations worldwide. With privileged access to AD, cyber criminals can gain access to the entire network, bringing business operations to a standstill. For a point-in-time assessment of AD security gaps, download Purple Knight, a free AD security assessment tool that scans the AD environment for hundreds of Indicators of Exposure (IOEs) and Compromise (IOCs), provides an overall security score, and provides prioritized remediation guidance from AD security experts. To continuously track changes in AD and Azure AD, check out Directory Services Protector, an AD threat detection and monitoring solutions that tracks changes in AD and Azure AD and provides automated rollback of malicious AD changes.

How can I track security vulnerabilities in Azure AD?

You can use the free AD security assessment tool Purple Knight to scan your Azure AD environment for various IOEs and IOCs, including inactive guest accounts, misconfigured conditional access policies, and Azure AD privileged users who are also privileged users in on-prem AD, which can result in both environments being compromised. You can use Directory Services Protector to track Azure AD changes in real-time; for more information, see “5 New Ways to Secure AD and Azure AD.

How I can audit Active Directory changes such as DCShadow?

DCShadow is one of a few types of attacks that leave no evidence of malicious activity, so they are difficult to detect with traditional event- or log-based systems.  This attack technique bypasses traditional SIEM-based logging. Instead, changes are injected directly into the replication stream of the production domain controllers. To guard against attacks that bypass traditional monitoring, organizations need solutions that use multiple sources of data, including the AD replication stream. For comprehensive AD threat detection and response, including the ability to audit AD for attacks that evade SIEMs and other traditional monitoring tools, check out Directory Services Protector.

Audit and remediate malicious changes in Active Directory

Don’t miss AD or Azure AD threats

Check out Directory Services Protector

More resources

Learn more about how to audit and roll back malicious changes in Active Directory and Azure AD.