valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-08 10:13:57 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Merge pull request #322 from P4T12ICK/feature/win_user_creation

Browse Source 
New Sigma rule detecting local user creation
This commit is contained in:
Thomas Patzke 2019-04-21 00:20:15 +02:00 committed by GitHub
commit bdd184a24c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 25 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
rules/windows/builtin/win_user_creation.yml Normal file
View File

@ -0,0 +1,25 @@
title: Detects local user creation
description: Detects local user creation on windows servers, which shouldn't happen in an Active Directory environment. Apply this Sigma Use Case on your windows server logs and not on your DC logs.
status: experimental
tags:
- attack.persistence
- attack.t1136
references:
- https://patrick-bareiss.com/detecting-local-user-creation-in-ad-with-sigma/
author: Patrick Bareiss
logsource:
product: windows
service: security
detection:
selection:
EventID: 4720
condition: selection
fields:
- EventCode
- Account_Name
- Account_Domain
falsepositives:
- Domain Controller Logs
level: high