ADTimeline: Threathunting with Active Directory data

Active Directory is a prime target in mostly all cyberattacks, and attackers often attempt to gain Domain Admin privileges and maintain their access. It is therefore crucial for security teams to monitor the changes occurring on Active Directory. Those modifications are recorded in the Domain Controllers Windows event logs but its scope/completeness depends on the auditing strategy configured. Moreover, those events are rarely centralized, analyzed and archived. As a consequence, replication metadata is sometimes the only artefact left for the DFIR analyst to characterize modifications made on the Active Directory.

ADTimeline is a forensic tool, written in PowerShell, which aims to create a timeline of Active Directory changes with replication metadata. The ADTimeline application for Splunk processes and analyses the data collected by the PowerShell script to help the DFIR analyst perform its investigation. In addition, the Active Directory data indexed in Splunk can be coupled with the analysis of Windows Event logs to perform relevant threat hunting queries.

About the Speaker