Skip to main content
Splunk Lantern

Changes to Active Directory custom domains

Your company uses SolarWinds Orion business software, which suffered the Sunburst Backdoor attack. You want to identify any lateral movement associated with the attack by hunting for changes to Active Directory custom domains.

A domain name is an important part of the identifier for many Active Directory resources. It is generally customized so that email addresses and application URIs include the name of the organization.

Procedure

  1. Ensure you have installed the Microsoft Azure Add-on for Splunk.
  2. Run the following search. You can optimize it by specifying an index and adjusting the time range.
sourcetype="azure:aad:audit"  activityDisplayName="Add unverified domain" OR activityDisplayName=*domain* 
| stats values(activityDisplayName) AS Action, values(initiatedBy.user.userPrincipalName) AS UPN, values(targetResources{}.displayName) 
AS Target, values(targetResources{}.modifiedProperties{}.displayName) 
AS "Modified Resources", values(targetResources{}.modifiedProperties{}.oldValue) 
AS "Old Values", values(targetResources{}.modifiedProperties{}.newValue) 
AS "New Values" by correlationId 
| fields - correlationId

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation

sourcetype="azure:aad:audit"  

Search only Azure Active Directory audit data.

activityDisplayName="Add unverified domain" OR activityDisplayName=*domain* 

Search for the domain-related actions shown.

| stats values(activityDisplayName) AS 

Action, values(initiatedBy.user.userPrincipalName) AS UPN, values(targetResources{}.displayName) 

AS Target, values(targetResources{}.modifiedProperties{}.displayName) 

AS "Modified Resources", values(targetResources{}.modifiedProperties{}.oldValue) 

AS "Old Values", values(targetResources{}.modifiedProperties{}.newValue) 

AS "New Values" by correlationId 

Calculate aggregate values for the modified properties as shown and group results by correlationId and action.

| fields - correlationId

Remove the correlationId field from the results.

Next steps

The Microsoft Azure Add-on for Splunk has additional searches and pre-built security content for Azure data that can help you interpret these results and take additional steps to resolve security concerns related to changes to your Active Directory custom domains. 

You might also be interested in other processes associated with the Detecting lateral movement with Active Directory data use case.