Active Directory Users

Overview

Table name: active_directory_users

On this page, you will find an explanation of how to integrate your Active Directory Users data source with Hunters. The table below contains information about domain users and their properties, including personal information.
The Hunters Pipeline uses this data source primarily to correlate different entities such as usernames, emails, AWS User ARN, etc., with a relevant individual entity. This provides context to security-related events and enables the correlation of signals from different attack surfaces.

This data source is crucial for correlating certain data types, especially when data from other IAM technologies like Okta or OneLogin isn't being used.

Send data to Hunters

STEP 1: Extract data from Active Directory

To retrieve the data in the expected format, execute the following PowerShell on one of the Domain Controllers in your network:

Import-Module ActiveDirectory
Get-ADUser -Filter * -Properties ACCOUNTEXPIRATIONDATE, ACCOUNTEXPIRES, ACCOUNTLOCKOUTTIME, BADLOGONCOUNT, CANNOTCHANGEPASSWORD, CANONICALNAME, CERTIFICATES, CITY, CN, COMPANY, COUNTRY, Created, DEPARTMENT, DESCRIPTION, DISPLAYNAME, DISTINGUISHEDNAME, DIVISION, EMAILADDRESS, EMPLOYEEID, EMPLOYEENUMBER, ENABLED, GIVENNAME, INITIALS, ISDELETED, LASTBADPASSWORDATTEMPT, LASTLOGONDATE, LOCKEDOUT, MANAGER, MEMBEROF, MODIFIED, NAME, OBJECTCATEGORY, OBJECTCLASS, OBJECTGUID, OBJECTSID, OFFICE, ORGANIZATION, OTHERNAME, PASSWORDEXPIRED, PASSWORDLASTSET, PASSWORDNEVEREXPIRES, PASSWORDNOTREQUIRED, PWDLASTSET, SAMACCOUNTNAME, SAMACCOUNTTYPE, SID, STATE, STREETADDRESS, SURNAME, TITLE, WHENCHANGED, WHENCREATED |
Select-Object -Property @{Name='ACCOUNTEXPIRATIONDATE';
Expression={$_.ACCOUNTEXPIRATIONDATE.ToUniversalTime().ToString("yyyy-MM-ddTHH:mm:ss")}}, ACCOUNTEXPIRES , @{Name='ACCOUNTLOCKOUTTIME';
Expression={$_.ACCOUNTLOCKOUTTIME.ToUniversalTime().ToString("yyyy-MM-ddTHH:mm:ss")}} , BADLOGONCOUNT, CANNOTCHANGEPASSWORD, CANONICALNAME, CERTIFICATES, CITY, CN, COMPANY, COUNTRY, @{Name='Created';
Expression={$_.Created.ToUniversalTime().ToString("yyyy-MM-ddTHH:mm:ss")}}, DEPARTMENT, DESCRIPTION, DISPLAYNAME, DISTINGUISHEDNAME, DIVISION, EMAILADDRESS, EMPLOYEEID, EMPLOYEENUMBER, ENABLED, GIVENNAME, INITIALS, ISDELETED, @{Name='LASTBADPASSWORDATTEMPT';
Expression={$_.LASTBADPASSWORDATTEMPT.ToUniversalTime().ToString("yyyy-MM-ddTHH:mm:ss")}}, @{Name='LASTLOGONDATE';Expression={$_.LASTLOGONDATE.ToUniversalTime().ToString("yyyy-MM-ddTHH:mm:ss")}}, LOCKEDOUT, MANAGER, MEMBEROF, @{Name='MODIFIED';
Expression={$_.MODIFIED.ToUniversalTime().ToString("yyyy-MM-ddTHH:mm:ss")}}, NAME, OBJECTCATEGORY, OBJECTCLASS, OBJECTGUID, OBJECTSID, OFFICE, ORGANIZATION, OTHERNAME, PASSWORDEXPIRED, @{Name='PASSWORDLASTSET';
Expression={$_.PASSWORDLASTSET.ToUniversalTime().ToString("yyyy-MM-ddTHH:mm:ss")}}, PASSWORDNEVEREXPIRES, PASSWORDNOTREQUIRED, PWDLASTSET, SAMACCOUNTNAME, SAMACCOUNTTYPE, SID, STATE, STREETADDRESS, SURNAME, TITLE, @{Name='WHENCHANGED';
Expression={$_.WHENCHANGED.ToUniversalTime().ToString("yyyy-MM-ddTHH:mm:ss")}} , @{Name='WHENCREATED';
Expression={$_.WHENCREATED.ToUniversalTime().ToString("yyyy-MM-ddTHH:mm:ss")}} |
Export-Csv <FILE.CSV>

STEP 2: Validate data format

📘Note

These steps are relevant only if you are using your organization’s AWS S3 bucket. Skip this section if you are using a Hunters-hosted bucket.

1. Create a dedicated folder for these files inside the bucket, with a indicative name. Such as active_directory_users.

2. Transfer the output file as is, without modifications, to the dedicated prefix inside the shared bucket (created in the previous step).

3. The output time fields within the file (CREATED, MODIFIED, etc.) should all be in the following format: %Y-%m-%dT%H:%M:%S in UTC time. This can be achieved by using the ToUniversalTime function as above).

4. The file name should start with the execution time (snapshot time), in the following format: %Y%m%dT%H%M%S (e.g. 20210502T120000_ad_users.csv).

STEP 3: Send data to Hunters

Expected format

The file must be in .csv format. Example:

#TYPE Selected.Microsoft.ActiveDirectory.Management.ADUser
"AccountNotDelegated","accountExpires","AllowReversiblePasswordEncryption","AuthenticationPolicy","AuthenticationPolicySilo","BadLogonCount","CannotChangePassword","CanonicalName","Certificates","City","CN","codePage","Company","CompoundIdentitySupported","Country","countryCode","Deleted","Department","Description","DisplayName","DistinguishedName","Division","DoesNotRequirePreAuth","dSCorePropagationData","EmailAddress","EmployeeID","EmployeeNumber","Enabled","Fax","garbageCollPeriod","GivenName","HomeDirectory","HomedirRequired","HomeDrive","HomePage","HomePhone","Initials","instanceType","internetEncoding","isDeleted","KerberosEncryptionType","LastKnownParent","LockedOut","LogonWorkstations","Manager","MemberOf","MNSLogonAccount","MobilePhone","msDS-User-Account-Control-Computed","msExchAddressBookFlags","msExchBypassAudit","msExchGroupSecurityFlags","msExchMailboxAuditEnable","msExchMailboxAuditLogAgeLimit","msExchMailboxFolderSet","msExchMDBRulesQuota","msExchModerationFlags","msExchProvisioningFlags","msExchRecipientDisplayType","msExchRecipientSoftDeletedStatus","msExchRecipientTypeDetails","msExchTransportRecipientSettingsFlags","msExchUMEnabledFlags2","msExchUserAccountControl","msExchUserBL","msExchVersion","Name","nTSecurityDescriptor","ObjectCategory","ObjectClass","ObjectGUID","objectSid","Office","OfficePhone","Organization","OtherName","PasswordExpired","pwdLastSet","PasswordNeverExpires","PasswordNotRequired","POBox","PostalCode","PrimaryGroup","primaryGroupID","PrincipalsAllowedToDelegateToAccount","ProfilePath","ProtectedFromAccidentalDeletion","SamAccountName","sAMAccountType","ScriptPath","sDRightsEffective","ServicePrincipalNames","SID","SIDHistory","SmartcardLogonRequired","State","StreetAddress","Surname","Title","TrustedForDelegation","TrustedToAuthForDelegation","UseDESKeyOnly","userAccountControl","userCertificate","UserPrincipalName","uSNChanged","uSNCreated","AccountExpirationDate","AccountLockoutTime","Created","createTimeStamp","LastBadPasswordAttempt","LastLogonDate","Modified","modifyTimeStamp","PasswordLastSet","whenChanged","whenCreated"
"False","String","False","Microsoft.ActiveDirectory.Management.ADPropertyValueCollection","Microsoft.ActiveDirectory.Management.ADPropertyValueCollection",,"False","String","Microsoft.ActiveDirectory.Management.ADPropertyValueCollection",,"Exchange Online-ApplicationAccount","String",,"Microsoft.ActiveDirectory.Management.ADPropertyValueCollection",,"String",,,,,"CN=Exchange Online-ApplicationAccount,CN=Users,DC=String,DC=com",,"False","Microsoft.ActiveDirectory.Management.ADPropertyValueCollection",,,,"False",,"String",,,"False",,,,,"String","String",,"Microsoft.ActiveDirectory.Management.ADPropertyValueCollection",,"False",,,"Microsoft.ActiveDirectory.Management.ADPropertyValueCollection","False",,"String","String","False","String","False","String","String","String","String","String","String","String","String","String","String","String","Microsoft.ActiveDirectory.Management.ADPropertyValueCollection","String","Exchange Online-ApplicationAccount","System.DirectoryServices.ActiveDirectorySecurity","CN=Person,CN=Schema,CN=Configuration,DC=String,DC=com","user","String","String",,,,,"True","0","False","True",,,"CN=Domain Users,CN=Users,DC=String,DC=com","101","Microsoft.ActiveDirectory.Management.ADPropertyValueCollection",,"False","String","String",,"0","Microsoft.ActiveDirectory.Management.ADPropertyValueCollection","String","Microsoft.ActiveDirectory.Management.ADPropertyValueCollection","False",,,,,"False","False","False","101","Microsoft.ActiveDirectory.Management.ADPropertyValueCollection","String","String","String",,,"2019-06-20T13:35:52","2019-06-20T13:35:52",,,"2020-12-01T16:43:50","2020-12-01T16:43:50",,"2020-12-01T16:43:50","2019-06-20T13:35:52"