7 min read
Would you want to know if users are signing in to your Active Directory out of normal office hours?
Holidays, weekends, and evenings are ideal for cybercriminals because they believe no one is looking. These times are ideal for modifications to Active Directory access policies, security groups, or user accounts if you don’t want to be detected.
Now here’s the good news: you can catch them in the act. When you have the proper tools, audit policies, and event logs in place, you can flag questionable Active Directory activity even when the lights in your office are off.
Why Do Out of Hours Active Directory Changes Matter?
Not every attack occurs during the working day. The stillness of the night or the weekend, when they anticipate little supervision, is actually what cybercriminals frequently like. This is why any effective cybersecurity strategy must include monitoring Active Directory (AD) changes during off-peak hours.
The security team may not be active during off-hours, leading to delayed responses to automated alarms. As a result, alerts may sit unattended for hours, potentially escalating threats. According to Lepide’s State of Active Directory Security report, a staggering 33% of cybersecurity incidents were caused by insiders accessing systems outside of business hours while 25% of organizations detect suspicious activity outside of typical business windows.
How to Monitor User Activity in Active Directory Outside of Business Hours
The following steps outline how to monitor Active Directory user activity after normal business hours:
- Define the “Off-Hours” for Your Organization: Usually, it’s evenings, weekends, and holidays, when not many IT people are working. A lot of places might consider 7 PM to 7 AM on weekdays and all day Saturday and Sunday as off-hours. If your company has different shifts or works in different time zones, adjust accordingly. When you know exactly what off-hours are, it’s easier to set up alerts, avoid getting bothered by routine after-hours tasks, and sort through event logs.
- Enable Active Directory Auditing: You can’t really keep an eye on things if you’re not logging them. This makes sure that the activities like new accounts, password changes, or group changes get recorded in the Security event logs on your domain controllers. This gives you the info you need to check for anything strange.
- To get started, set up your audit policies in Group Policy. Go to Advanced Audit Policy Configuration under Computer Configuration > Policies > Windows Settings > Security Settings
- Be sure to turn on these options: Audit Account Management, Audit Directory Service Changes, and Audit Logon Events.
- Track and Filter Key Event IDs: After turning on Active Directory auditing, you’ll get event logs showing changes to Active Directory. But not all events matter as much. Focus on key Event IDs: 4723 and 4724 for password changes, 4720 for new user accounts, 4625 for failed logins, 4740 for account lockouts, 4738 for user modifications, 4732 and 4733 for group membership changes, and 5136 for directory object changes. Monitoring these helps detect potential threats. Use a SIEM system, Windows Event Viewer, or PowerShell scripts to filter these logs by time, user, and action type in order to sort and examine them. This helps in identifying events that take place during crucial off-peak times, and by keeping an eye on these event IDs, important information about user behaviour is obtained.
- Use Scripts or SIEM Rules to Detect Off-Hours Activity: Set up automation to identify when these key events occur outside normal work hours.. One easy way is to make PowerShell scripts that search the Security event log and filter results. For example, check for events on weekends, after 7 PM, or before 7 AM. Or, use SIEM rules to identify off-hours activity by keeping an eye out for unusual login times, odd access points, and odd file or system activity. By doing this, you make sure that you don’t miss weird changes and can act fast, even if no one is watching logs live.
- Automate Detection and Alerts: While built-in tools can provide basic auditing, third-party AD auditing tools offer more comprehensive and customizable monitoring capabilities.. They send alerts right away, so you can jump on any AD changes even when you’re not working without checking logs all the time. They also have pre-defined templates and filters that spot common attack moves, like someone being active when they shouldn’t be. For example, you can set these tools up to warn your security team if group membership changes more than three times during a weekend. Plus, the system can automatically trigger incident response procedures, such as notifying the security team or blocking suspicious user accounts.. All this automation cuts down the time it takes to spot and deal with problems.
- Review and Fine-Tune Regularly: Watching for AD changes isn’t easy. You should check and tweak your alerting plan regularly. First, look at the logs and alerts you’ve collected. Are there a lot of false alarms? Are normal admin tasks being flagged for no reason? Talk to your IT and security team to figure out which alerts matter and which thresholds might need adjusting. If your workplace changes because of hybrid work, new tools, or different hours, update your off-hours settings and change your policies. A well-kept monitoring system gets more reliable and useful as time goes on.
Conclusion
An ideal target for attackers is Active Directory. Privileges are granted or refused, access is granted or revoked, and user identities are settled there. Because of its pivotal position, threat actors find it to be a highly valuable asset. Lepide’s State of Active Directory Security research reveals that around 25% of companies report seeing unusual behavior after hours, which is frequently connected to insider threats or compromised credentials.
Changes in Active Directory that seem suspicious during off-peak hours may be the initial indication of a more serious security issue. You can recognize and prevent attacks before they become more serious by keeping an eye out for these changes, especially on the weekends and at night. Developing a plan to track Active Directory changes outside of regular business hours greatly improves your chances of identifying malicious activity before it has a chance to do actual harm. Regardless of whether you begin with PowerShell or event logs, it is better to act now than to respond later.
Start now: Define your off-hours, enable auditing, and take back control of your Active Directory even when no one’s watching.
How Lepide Helps
Lepide Active Directory Auditor’s purpose is to identify and notify users of suspicious activity, particularly that which takes place outside of regular business hours. It continuously monitors user behavior, changes to group membership, adjustments to permissions, and the establishment of new accounts. The context it provides who made the move, from where, and when is more significant.
Lepide Active Directory Auditor’s purpose is to identify and notify users of suspicious activity, particularly that which takes place outside of regular business hours. It continuously monitors user behavior, changes to group membership, adjustments to permissions, and the establishment of new accounts. The context it provides who made the move, from where, and when is more significant.
According to the State of Active Directory Security study, visibility gaps are a key tool used by attackers. They use late-night logins, unused accounts, and disproportionate rights to avoid detection. However, you may reverse the trend if you have the appropriate monitoring plan and the appropriate resources.
Want to Shield Your AD During Off‑Hours? Schedule a demo with our engineers or download a free trial to monitor suspicious off-hours AD changes before they escalate.
Group Policy Examples and Settings for Effective Administration
15 Most Common Types of Cyber Attack and How to Prevent Them
Why AD Account Keeps Getting Locked Out Frequently and How to Resolve It
