SigmaHQ/rules/windows/builtin/win_global_catalog_enumeration.yml

26 lines
869 B
YAML
Raw Normal View History

title: Enumeration via the Global Catalog
description: Detects enumeration of the global catalog (that can be performed using BloodHound or others AD reconnaissance tools). Adjust Treshhold according to domain width.
author: Chakib Gzenayi (@Chak092), Hosni Mribah
id: 619b020f-0fd7-4f23-87db-3f51ef837a34
date: 2020/05/11
2020-08-24 23:29:57 +00:00
modified: 2020/08/23
tags:
- attack.discovery
- attack.t1087 # an old one
- attack.t1087.002
logsource:
product: windows
service: system
definition: 'The advanced audit policy setting "Windows Filtering Platform > Filtering Platform Connection" must be configured for Success'
detection:
selection:
EventID: 5156
DestinationPort:
- 3268
- 3269
timeframe: 1h
condition: selection | count() by SourceAddress > 2000
falsepositives:
- Exclude known DCs.
level: medium