SigmaHQ/rules/windows/builtin/win_susp_net_recon_activity.yml

title: Reconnaissance Activity
status: experimental
description: 'Detects activity as "net user administrator /domain" and "net group domain admins /domain"'
references:
    - https://findingbad.blogspot.de/2017/01/hunting-what-does-it-look-like.html
author: Florian Roth (rule), Jack Croock (method)
tags:
    - attack.discovery
    - attack.t1087
    - attack.t1069
    - attack.s0039
logsource:
    product: windows
    service: security
    definition: The volume of Event ID 4661 is high on Domain Controllers and therefore "Audit SAM" and "Audit Kernel Object" advanced audit policy settings are not configured in the recommandations for server systems
detection:
    selection:
        - EventID: 4661
          ObjectType: 'SAM_USER'
          ObjectName: 'S-1-5-21-*-500'
          AccessMask: '0x2d'
        - EventID: 4661
          ObjectType: 'SAM_GROUP'
          ObjectName: 'S-1-5-21-*-512'
          AccessMask: '0x2d'
    condition: selection
falsepositives:
    - Administrator activity
    - Penetration tests
level: high
Massive Title Cleanup 2018-01-27 09:57:30 +00:00			`title: Reconnaissance Activity`
Rule: Windows - Recon Activity 2017-03-07 11:01:39 +00:00			`status: experimental`
windows builtin mitre attack tags 2018-07-24 04:34:20 +00:00			`description: 'Detects activity as "net user administrator /domain" and "net group domain admins /domain"'`
Change All "str" references to be "list"to mach schema update 2018-01-27 23:24:16 +00:00			`references:`
			`- https://findingbad.blogspot.de/2017/01/hunting-what-does-it-look-like.html`
Rule: Windows - Recon Activity 2017-03-07 11:01:39 +00:00			`author: Florian Roth (rule), Jack Croock (method)`
Add tags to windows builtin rules 2018-07-24 05:50:32 +00:00			`tags:`
			`- attack.discovery`
			`- attack.t1087`
			`- attack.t1069`
			`- attack.s0039`
Rule: Windows - Recon Activity 2017-03-07 11:01:39 +00:00			`logsource:`
			`product: windows`
			`service: security`
Replace "logsource: description" with "definition" to match the specs 2018-11-15 06:00:06 +00:00			`definition: The volume of Event ID 4661 is high on Domain Controllers and therefore "Audit SAM" and "Audit Kernel Object" advanced audit policy settings are not configured in the recommandations for server systems`
Rule: Windows - Recon Activity 2017-03-07 11:01:39 +00:00			`detection:`
			`selection:`
			`- EventID: 4661`
			`ObjectType: 'SAM_USER'`
			`ObjectName: 'S-1-5-21-*-500'`
			`AccessMask: '0x2d'`
			`- EventID: 4661`
			`ObjectType: 'SAM_GROUP'`
			`ObjectName: 'S-1-5-21-*-512'`
			`AccessMask: '0x2d'`
			`condition: selection`
			`falsepositives:`
			`- Administrator activity`
			`- Penetration tests`
			`level: high`