I was lucky enough to get my ticket early to BSIDES AUSTIN this year and being the life of an Incident Handler I had to duck out of a few talks I really wanted to see - one was on the DC SHADOW attack by Don Perez and Adam Steed. Fortunately I got a ton of friends here in Austin and was able to get the rundown by a few analysts that I trust explicitly. The way the attack was detailed to me was basically a way to stand up a malicious domain controller and create/remove objects from a domain without any logging. Sneaky.
I immediately started reading up on this attack and immediately started looking into some things. First thing I noticed was the title - Active Directory: What can make your million dollar SIEM go blind? and I thought - oh they're hiding from the DC Logs. What a critical technique for Cyber Security practitioners for detecting evil. The SIEM (Security Incident and Event Management) tool, pronounced sim with a silent "E", it's not seem, but I digress,... The SIEM has been a critical tool for security analysts since the dawn of Cinxi or ArcSight - which were my first SIEMs. The ability to roll up logs and alert on those logs has been critical for all Cyber Security Practitioners, and remains that way.
However, something that I've done since my second job in Cyber Security is monitor Administrative accounts directly without the SIEM. My thinking has always been, what if the SIEM breaks? What if there is a way to do something without the event logging? Redundancy in alerting is never a bad idea, I would argue it is a basic strategy of defense in depth - although a nested category of DiD but what are you going to do?
So, the premise is simple using the Active Directory Cmdlets for PowerShell - I like to pull a list of all administrative security groups and query who is added to or removed from those groups. Yes, I know this is basic, so basic in fact that you should have multiple methods for detecting and alerting. I have the task run on a schedule task, and when there's a change I have it shoot an email, bang! Easy as pie. OK so yes, Compare-Object has some weird idiosyncrasies - but lucky for you I've written the script and added to my git repo. I hate writing readmes but just go in there and change the necessary fields in the xml file and you should be good to go.