title: Reconnaissance Activity id: 968eef52-9cff-4454-8992-1e74b9cbad6c status: experimental description: Detects activity as "net user administrator /domain" and "net group domain admins /domain" references: - https://findingbad.blogspot.de/2017/01/hunting-what-does-it-look-like.html author: Florian Roth (rule), Jack Croock (method) date: 2017/03/07 tags: - attack.discovery - attack.t1087 - attack.t1069 - attack.s0039 logsource: product: windows service: security definition: The volume of Event ID 4661 is high on Domain Controllers and therefore "Audit SAM" and "Audit Kernel Object" advanced audit policy settings are not configured in the recommendations for server systems detection: selection: - EventID: 4661 ObjectType: 'SAM_USER' ObjectName: 'S-1-5-21-*-500' AccessMask: '0x2d' - EventID: 4661 ObjectType: 'SAM_GROUP' ObjectName: 'S-1-5-21-*-512' AccessMask: '0x2d' condition: selection falsepositives: - Administrator activity - Penetration tests level: high