SigmaHQ/rules/windows/builtin/win_susp_net_recon_activity.yml

32 lines
1.1 KiB
YAML
Raw Normal View History

2018-01-27 09:57:30 +00:00
title: Reconnaissance Activity
2019-11-12 22:12:27 +00:00
id: 968eef52-9cff-4454-8992-1e74b9cbad6c
2017-03-07 11:01:39 +00:00
status: experimental
2019-11-12 22:12:27 +00:00
description: Detects activity as "net user administrator /domain" and "net group domain admins /domain"
references:
- https://findingbad.blogspot.de/2017/01/hunting-what-does-it-look-like.html
2017-03-07 11:01:39 +00:00
author: Florian Roth (rule), Jack Croock (method)
2018-07-24 05:50:32 +00:00
tags:
- attack.discovery
- attack.t1087
- attack.t1069
- attack.s0039
2017-03-07 11:01:39 +00:00
logsource:
product: windows
service: security
2019-06-29 12:35:59 +00:00
definition: The volume of Event ID 4661 is high on Domain Controllers and therefore "Audit SAM" and "Audit Kernel Object" advanced audit policy settings are not configured in the recommendations for server systems
2017-03-07 11:01:39 +00:00
detection:
selection:
- EventID: 4661
ObjectType: 'SAM_USER'
ObjectName: 'S-1-5-21-*-500'
AccessMask: '0x2d'
- EventID: 4661
ObjectType: 'SAM_GROUP'
ObjectName: 'S-1-5-21-*-512'
AccessMask: '0x2d'
condition: selection
falsepositives:
- Administrator activity
- Penetration tests
level: high