{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,2,25]],"date-time":"2026-02-25T18:00:10Z","timestamp":1772042410941,"version":"3.50.1"},"reference-count":81,"publisher":"Institute of Electrical and Electronics Engineers (IEEE)","issue":"1","license":[{"start":{"date-parts":[[2026,1,1]],"date-time":"2026-01-01T00:00:00Z","timestamp":1767225600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/legalcode"}],"funder":[{"DOI":"10.13039\/501100009318","name":"Helmholtz Association","doi-asserted-by":"publisher","id":[{"id":"10.13039\/501100009318","id-type":"DOI","asserted-by":"publisher"}]},{"name":"Energy System Design (ESD) Program"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["IEEE Trans. Dependable and Secure Comput."],"published-print":{"date-parts":[[2026,1]]},"DOI":"10.1109\/tdsc.2025.3611866","type":"journal-article","created":{"date-parts":[[2025,9,22]],"date-time":"2025-09-22T17:47:10Z","timestamp":1758563230000},"page":"936-953","source":"Crossref","is-referenced-by-count":1,"title":["HADES: Detecting and Investigating Active Directory Attacks via Whole Network Provenance Analytics"],"prefix":"10.1109","volume":"23","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-9334-953X","authenticated-orcid":false,"given":"Qi","family":"Liu","sequence":"first","affiliation":[{"name":"Institute for Automation and Applied Informatics, Karlsruhe Institute of Technology (KIT), Eggenstein-Leopoldshafen, Germany"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-8231-4331","authenticated-orcid":false,"given":"Kaibin","family":"Bao","sequence":"additional","affiliation":[{"name":"Institute for Automation and Applied Informatics, Karlsruhe Institute of Technology (KIT), Eggenstein-Leopoldshafen, Germany"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Wajih Ul","family":"Hassan","sequence":"additional","affiliation":[{"name":"School of Engineering &#x0026; Applied Science, University of Virginia, Charlottesville, VA, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-3572-9083","authenticated-orcid":false,"given":"Veit","family":"Hagenmeyer","sequence":"additional","affiliation":[{"name":"Institute for Automation and Applied Informatics, Karlsruhe Institute of Technology (KIT), Eggenstein-Leopoldshafen, Germany"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"263","reference":[{"key":"ref1","article-title":"CrowdStrike 2023 global threat report","year":"2023"},{"key":"ref2","article-title":"CrowdStrike 2023 threat hunting report","year":"2023"},{"key":"ref3","article-title":"Attackers set sights on active directory: Understanding your identity exposure","author":"Shastri","year":"2023"},{"key":"ref4","article-title":"Endpoint and identity security: A critical combination to stop modern attacks","author":"Shastri","year":"2023"},{"key":"ref5","article-title":"MITRE T1558.003","year":"2023"},{"key":"ref6","article-title":"MITRE T1550.002","year":"2023"},{"key":"ref7","article-title":"Active directory holds the keys to your kingdom, but is it secure?","author":"Krishnamoorthi","year":"2020"},{"key":"ref8","article-title":"Nmap","year":"2024"},{"key":"ref9","article-title":"Setspn","year":"2024"},{"key":"ref10","article-title":"8 LOLBins every threat hunter should know","year":"2023"},{"key":"ref11","article-title":"Trellix threat report 2023","year":"2023"},{"key":"ref12","article-title":"MITRE matrix","year":"2023"},{"key":"ref13","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2016.23350"},{"key":"ref14","first-page":"487","article-title":"SLEUTH: Real-time attack scenario reconstruction from COTS audit data","volume-title":"Proc. USENIX Secur. Symp.","author":"Hossain","year":"2017"},{"key":"ref15","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2018.23141"},{"key":"ref16","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2019.00026"},{"key":"ref17","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2019.23349"},{"key":"ref18","doi-asserted-by":"publisher","DOI":"10.1109\/SP40000.2020.00096"},{"key":"ref19","doi-asserted-by":"publisher","DOI":"10.1109\/SP40000.2020.00064"},{"key":"ref20","doi-asserted-by":"publisher","DOI":"10.1109\/SP54263.2024.00005"},{"key":"ref21","doi-asserted-by":"publisher","DOI":"10.1109\/SP54263.2024.00139"},{"key":"ref22","doi-asserted-by":"publisher","DOI":"10.1109\/SP46214.2022.9833669"},{"key":"ref23","first-page":"4355","article-title":"PROGRAPHER: An anomaly detection system based on provenance graph embedding","volume-title":"Proc. USENIX Secur. Symp.","author":"Yang","year":"2023"},{"key":"ref24","doi-asserted-by":"publisher","DOI":"10.1145\/3576915.3616580"},{"key":"ref25","first-page":"1","article-title":"High accuracy attack provenance via binary-based execution partition","volume-title":"Proc. Netw. Distrib. Syst. Secur.","author":"Lee","year":"2013"},{"key":"ref26","doi-asserted-by":"publisher","DOI":"10.1145\/2818000.2818039"},{"key":"ref27","doi-asserted-by":"publisher","DOI":"10.1109\/TIFS.2021.3098977"},{"key":"ref28","first-page":"2783","article-title":"99% false positives: A qualitative study of SOC analysts\u2019 perspectives on security alarms","volume-title":"Proc. USENIX Secur. Symp.","author":"Alahmadi","year":"2022"},{"key":"ref29","article-title":"Elastic detection rules","year":"2023"},{"key":"ref30","article-title":"Sigma","year":"2023"},{"key":"ref31","article-title":"Why 86% of organizations are increasing their investment in active directory security","author":"Crockett","year":"2023"},{"key":"ref32","article-title":"nopac exploit: Latest microsoft AD flaw may lead to total domain compromise in seconds","author":"Talyanski","year":"2024"},{"key":"ref33","article-title":"A gloabl threat to enterprises: The impact of active directory attacks","year":"2024"},{"key":"ref34","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2020.24046"},{"key":"ref35","article-title":"Oilrig emulation plan","year":"2023"},{"key":"ref36","article-title":"Golden ticket","year":"2024"},{"key":"ref37","article-title":"4769(s, f): A kerberos service ticket was requested","author":"Pamnani","year":"2024"},{"key":"ref38","article-title":"4624(s): An account was successfully logged on","author":"Pamnani","year":"2024"},{"key":"ref39","article-title":"4768(s, f): A kerberos authentication ticket (TGT) was requested","author":"Pamnani","year":"2024"},{"key":"ref40","article-title":"MITRE ATT&CK","year":"2023"},{"key":"ref41","article-title":"Mandiant M-trends 2023","year":"2023"},{"key":"ref42","doi-asserted-by":"publisher","DOI":"10.1109\/SP46215.2023.10179405"},{"key":"ref43","article-title":"Security auditing","year":"2023"},{"key":"ref44","article-title":"LSA logon sessions","year":"2024"},{"key":"ref45","volume-title":"Troubleshooting With the Windows Sysinternals Tools","author":"Russinovich","year":"2016"},{"key":"ref46","volume-title":"Windows Internals, Part 2","author":"Allievi","year":"2022"},{"key":"ref47","doi-asserted-by":"publisher","DOI":"10.1002\/9781119390909"},{"key":"ref48","volume-title":"Windows Security Internals: A Deep Dive Into Windows Authentication, Authorization, and Auditing","author":"Forshaw","year":"2024"},{"key":"ref49","article-title":"T1021.001","year":"2024"},{"key":"ref50","article-title":"Fast user switching","year":"2024"},{"key":"ref51","article-title":"User account control","year":"2024"},{"key":"ref52","article-title":"4625(f): An account failed to log on","author":"Pamnani","year":"2024"},{"key":"ref53","article-title":"System monitor","author":"Russinovich","year":"2023"},{"key":"ref54","article-title":"MITRE ATT&CK campaigns","year":"2024"},{"key":"ref55","article-title":"About logging windows","author":"Wheeler","year":"2023"},{"key":"ref56","article-title":"Elasticsearch","year":"2023"},{"key":"ref57","article-title":"EQL search","year":"2023"},{"key":"ref58","article-title":"MITRE adversary emulation library","year":"2023"},{"key":"ref59","article-title":"Lightweight shipper for windows event logs","year":"2024"},{"key":"ref60","article-title":"How to design your elasticsearch data storage architecture for scale","author":"Davis","year":"2025"},{"key":"ref61","article-title":"Resize your deployment","year":"2025"},{"key":"ref62","article-title":"Get ready for production","year":"2025"},{"key":"ref63","article-title":"DARPA transparent computing E3","author":"Keromytis","year":"2023"},{"key":"ref64","article-title":"DARPA transparent computing","author":"Torrey","year":"2023"},{"key":"ref65","article-title":"DARPA OpTC","author":"Opstal","year":"2023"},{"key":"ref66","article-title":"MITRE engenuity","year":"2023"},{"key":"ref67","article-title":"APT29 emulation plan","year":"2023"},{"key":"ref68","article-title":"WizardSpider emulation plan","year":"2023"},{"key":"ref69","doi-asserted-by":"publisher","DOI":"10.1109\/BigData62323.2024.10826006"},{"key":"ref70","article-title":"AVIATOR dataset","author":"Liu","year":"2024"},{"key":"ref71","article-title":"Chronicle detection rules","year":"2023"},{"key":"ref72","first-page":"433","article-title":"A different cup of TI? The added value of commercial threat intelligence","volume-title":"Proc. USENIX Secur. Symp.","author":"Bouwman","year":"2020"},{"key":"ref73","article-title":"Magic quadrant for endpoint protection platforms","author":"Mirolyubov","year":"2023"},{"key":"ref74","article-title":"The forrester new wave: Extended detection and response (XDR) providers, Q4 2021","author":"Mellen","year":"2021"},{"key":"ref75","first-page":"1111","article-title":"MPI: Multiple perspective attack investigation with semantic aware execution partitioning","volume-title":"Proc. USENIX Secur. Symp.","author":"Ma","year":"2017"},{"key":"ref76","first-page":"3093","article-title":"Hopper: Modeling and detecting lateral movement","volume-title":"Proc. USENIX Secur. Symp.","author":"Ho","year":"2021"},{"key":"ref77","doi-asserted-by":"publisher","DOI":"10.5220\/0010202803760383"},{"key":"ref78","doi-asserted-by":"publisher","DOI":"10.1109\/AINS.2018.8631486"},{"key":"ref79","article-title":"Alert fatigue","author":"Segal","year":"2023"},{"key":"ref80","article-title":"In cybersecurity every alert matters","author":"Robinson","year":"2021"},{"key":"ref81","article-title":"The impact of security alert overload","year":"2019"}],"container-title":["IEEE Transactions on Dependable and Secure Computing"],"original-title":[],"link":[{"URL":"http:\/\/xplorestaging.ieee.org\/ielx8\/8858\/11354469\/11175589.pdf?arnumber=11175589","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2026,1,20]],"date-time":"2026-01-20T23:23:37Z","timestamp":1768951417000},"score":1,"resource":{"primary":{"URL":"https:\/\/ieeexplore.ieee.org\/document\/11175589\/"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2026,1]]},"references-count":81,"journal-issue":{"issue":"1"},"URL":"https:\/\/doi.org\/10.1109\/tdsc.2025.3611866","relation":{},"ISSN":["1545-5971","1941-0018","2160-9209"],"issn-type":[{"value":"1545-5971","type":"print"},{"value":"1941-0018","type":"electronic"},{"value":"2160-9209","type":"electronic"}],"subject":[],"published":{"date-parts":[[2026,1]]}}}