Analysing Active Directory event logs to identify compromised accounts

During investigation in a security incident, event log analysis is a key element. If the affected network is managed by Active Directory, identify compromised accounts is a critical step. For such investigation, because is quite difficult to conduct detailed analysis in AD event viewer, it is rather common to export the logs to text format…

Article Link: https://www.andreafortuna.org/dfir/analysing-active-directory-event-logs-to-identify-compromised-accounts/