mirror of
https://github.com/valitydev/SigmaHQ.git
synced 2024-11-08 10:13:57 +00:00
38 lines
1.3 KiB
YAML
38 lines
1.3 KiB
YAML
title: Reconnaissance Activity
|
|
id: 968eef52-9cff-4454-8992-1e74b9cbad6c
|
|
status: experimental
|
|
description: Detects activity as "net user administrator /domain" and "net group domain admins /domain"
|
|
references:
|
|
- https://findingbad.blogspot.de/2017/01/hunting-what-does-it-look-like.html
|
|
author: Florian Roth (rule), Jack Croock (method), Jonhnathan Ribeiro (improvements), oscd.community
|
|
date: 2017/03/07
|
|
modified: 2020/08/23
|
|
tags:
|
|
- attack.discovery
|
|
- attack.t1087 # an old one
|
|
- attack.t1087.002
|
|
- attack.t1069 # an old one
|
|
- attack.t1069.002
|
|
- attack.s0039
|
|
logsource:
|
|
product: windows
|
|
service: security
|
|
definition: The volume of Event ID 4661 is high on Domain Controllers and therefore "Audit SAM" and "Audit Kernel Object" advanced audit policy settings are not configured in the recommendations for server systems
|
|
detection:
|
|
selection:
|
|
EventID: 4661
|
|
ObjectType:
|
|
- 'SAM_USER'
|
|
- 'SAM_GROUP'
|
|
ObjectName|startswith: 'S-1-5-21-'
|
|
AccessMask: '0x2d'
|
|
selection2:
|
|
ObjectName|endswith:
|
|
- '-500'
|
|
- '-512'
|
|
condition: selection and selection2
|
|
falsepositives:
|
|
- Administrator activity
|
|
- Penetration tests
|
|
level: high
|