title: Reconnaissance Activity status: experimental description: 'Detects activity as "net user administrator /domain" and "net group domain admins /domain"' references: - https://findingbad.blogspot.de/2017/01/hunting-what-does-it-look-like.html author: Florian Roth (rule), Jack Croock (method) logsource: product: windows service: security description: The volume of Event ID 4661 ist high on Domain Controllers and therefore "Audit SAM" and "Audit Kernel Object" advanced audit policy settings are not configured in the recommandations for server systems detection: selection: - EventID: 4661 ObjectType: 'SAM_USER' ObjectName: 'S-1-5-21-*-500' AccessMask: '0x2d' - EventID: 4661 ObjectType: 'SAM_GROUP' ObjectName: 'S-1-5-21-*-512' AccessMask: '0x2d' condition: selection falsepositives: - Administrator activity - Penetration tests level: high