valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 02:08:54 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
9ca52259dd
SigmaHQ/rules/windows/builtin/win_ad_replication_non_machine_account.yml

29 lines
1.0 KiB
YAML
Raw Normal View History

oscd task #6 done. add 25 new rules: - win_ad_replication_non_machine_account.yml - win_dpapi_domain_backupkey_extraction.yml - win_protected_storage_service_access.yml - win_dpapi_domain_masterkey_backup_attempt.yml - win_sam_registry_hive_handle_request.yml - win_sam_registry_hive_dump_via_reg_utility.yml - win_lsass_access_non_system_account.yml - win_ad_object_writedac_access.yml - powershell_alternate_powershell_hosts.yml - sysmon_remote_powershell_session_network.yml - win_remote_powershell_session.yml - win_scm_database_handle_failure.yml - win_scm_database_privileged_operation.yml - sysmon_wmi_module_load.yml - sysmon_remote_powershell_session_process.yml - sysmon_rdp_registry_modification.yml - sysmon_powershell_execution_pipe.yml - sysmon_alternate_powershell_hosts_pipe.yml - sysmon_powershell_execution_moduleload.yml - sysmon_createremotethread_loadlibrary.yml - sysmon_alternate_powershell_hosts_moduleload.yml - powershell_remote_powershell_session.yml - win_non_interactive_powershell.yml - win_syskey_registry_access.yml - win_wmiprvse_spawning_process.yml improve 1 rule: - rules/windows/builtin/win_account_backdoor_dcsync_rights.yml
2019-11-10 15:43:41 +00:00
title: T1003 Active Directory Replication from Non Machine Account
UUIDs + moved unsupported logic * Added UUIDs to all contributed rules * Moved unsupported logic directory out of rules/ because this breaks CI testing.
2019-12-19 22:56:36 +00:00
id: 17d619c1-e020-4347-957e-1d1207455c93
oscd task #6 done. add 25 new rules: - win_ad_replication_non_machine_account.yml - win_dpapi_domain_backupkey_extraction.yml - win_protected_storage_service_access.yml - win_dpapi_domain_masterkey_backup_attempt.yml - win_sam_registry_hive_handle_request.yml - win_sam_registry_hive_dump_via_reg_utility.yml - win_lsass_access_non_system_account.yml - win_ad_object_writedac_access.yml - powershell_alternate_powershell_hosts.yml - sysmon_remote_powershell_session_network.yml - win_remote_powershell_session.yml - win_scm_database_handle_failure.yml - win_scm_database_privileged_operation.yml - sysmon_wmi_module_load.yml - sysmon_remote_powershell_session_process.yml - sysmon_rdp_registry_modification.yml - sysmon_powershell_execution_pipe.yml - sysmon_alternate_powershell_hosts_pipe.yml - sysmon_powershell_execution_moduleload.yml - sysmon_createremotethread_loadlibrary.yml - sysmon_alternate_powershell_hosts_moduleload.yml - powershell_remote_powershell_session.yml - win_non_interactive_powershell.yml - win_syskey_registry_access.yml - win_wmiprvse_spawning_process.yml improve 1 rule: - rules/windows/builtin/win_account_backdoor_dcsync_rights.yml
2019-11-10 15:43:41 +00:00
description: Detects potential abuse of Active Directory Replication Service (ADRS) from a non machine account to request credentials.
status: experimental
date: 2019/07/26
modified: 2019/11/10
author: Roberto Rodriguez @Cyb3rWard0g
references:
- https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/06_credential_access/T1003_credential_dumping/ad_replication_non_machine_account.md
tags:
- attack.credential_access
- attack.t1003
logsource:
product: windows
service: security
detection:
selection:
EventID: 4662
AccessMask: '0x100'
Properties|contains:
- '1131f6aa-9c07-11d1-f79f-00c04fc2dcd2'
- '1131f6ad-9c07-11d1-f79f-00c04fc2dcd2'
- '89e95b76-444d-4c62-991a-0facbeda640c'
filter:
SubjectUserName|endswith: '$'
condition: selection and not filter
falsepositives:
- Unknown
level: critical
Reference in New Issue Copy Permalink