HADES: Detecting Active Directory Attacks via Whole Network Provenance Analytics

TL;DR

HADES tackles the challenge of detecting AD-driven attacks that move laterally across an enterprise by combining a lightweight authentication anomaly detector with a novel logon session–based execution partitioning that enables precise cross-machine provenance tracing. The system operates in two stages: first flagging authentication anomalies, then constructing whole-network attack graphs through fine-grained, session-level tracing and triaging alerts with a threat-score mechanism that weights credential access, discovery, and privilege escalation. Evaluations on MITRE-emulation datasets and real emulation plans show that HADES outperforms open-source SIEM rules and a commercial detector, significantly reducing false positives while providing contextual, explainable attack graphs and rapid response times for SOC workflows. The approach offers practical impact by enabling on-demand, scalable AD attack detection with transferable parameters suitable for diverse enterprise deployments.

Abstract

Due to its crucial role in identity and access management in modern enterprise networks, Active Directory (AD) is a top target of Advanced Persistence Threat (APT) actors. Conventional intrusion detection systems (IDS) excel at identifying malicious behaviors caused by malware, but often fail to detect stealthy attacks launched by APT actors. Recent advance in provenance-based IDS (PIDS) shows promises by exposing malicious system activities in causal attack graphs. However, existing approaches are restricted to intra-machine tracing, and unable to reveal the scope of attackers' traversal inside a network. We propose HADES, the first PIDS capable of performing accurate causality-based cross-machine tracing by leveraging a novel concept called logon session based execution partitioning to overcome several challenges in cross-machine tracing. We design HADES as an efficient on-demand tracing system, which performs whole-network tracing only when it first identifies an authentication anomaly signifying an ongoing AD attack, for which we introduce a novel lightweight authentication anomaly detection model rooted in our extensive analysis of AD attacks. To triage attack alerts, we present a new algorithm integrating two key insights we identified in AD attacks. Our evaluations show that HADES outperforms both popular open source detection systems and a prominent commercial AD attack detector.

Figures (8)

• Figure 1: Active directory attack overview.
• Figure 2: HADES overview.
• Figure 3: An AD attack graph created by HADES on the Oilrig oilrigEP dataset. HADES first creates an initial high-level attack graph involving AD entities like users and hosts, after it detects an authentication & logon anomaly and suspects a Pass-the-Hash attack. Then it performs system-level forward tracing inside the specific logon session under user Bob in the accessed host Data Server, and system-level forward & backward tracing inside the logon session of Alice in the accessing host Exchange Server. Subsequently, it traces back to a logon session of Alice in the Workstation_1. Next, it traces forward & backward inside this logon session, leading to another two logon sessions in the Exchange Server. This graph reveals that an attacker leveraged a C2 (Command & Control) agent disguised under the process name SystemFailureReporter on the Workstation_1 to perform AD discovery via LOLBins like net and netstat. The attacker then pivoted to the Exchange Server, performed further AD discovery, and conducted credential access, before moving to the Data Server for accessing critical data.
• Figure 4: Standard AD authentication process.
• Figure 5: Authentication incompleteness/abnormality.