title: AD Privileged Users or Groups Reconnaissance
id: 35ba1d85-724d-42a3-889f-2e2362bcaf23
description: Detect priv users or groups recon based on 4661 eventid and known privileged users or groups SIDs
references:
    - https://blog.menasec.net/2019/02/threat-hunting-5-detecting-enumeration.html
tags:
    - attack.discovery
    - attack.t1087          # an old one
    - attack.t1087.002
status: experimental
author: Samir Bousseaden
date: 2019/04/03
modified: 2020/08/23
logsource:
    product: windows
    service: security
    definition: 'Requirements: enable Object Access SAM on your Domain Controllers'
detection:
    selection:
        EventID: 4661
        ObjectType:
        - 'SAM_USER'
        - 'SAM_GROUP'
    selection_object:
        - ObjectName|endswith:
          - '-512'
          - '-502'
          - '-500'
          - '-505'
          - '-519'
          - '-520'
          - '-544'
          - '-551'
          - '-555'
        - ObjectName|contains:
          - 'admin'
    condition: selection and selection_object
falsepositives:
    - if source account name is not an admin then its super suspicious
level: high