valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 09:48:58 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
b5766f8804
SigmaHQ/rules/windows/builtin/win_ad_replication_non_machine_account.yml
Jonhnathan 9765fcbd0c
Update Threat Hunter Playbook Reference
2021-05-22 00:55:29 -03:00

36 lines
1.2 KiB
YAML
Raw Blame History

title: Active Directory Replication from Non Machine Account
id: 17d619c1-e020-4347-957e-1d1207455c93
description: Detects potential abuse of Active Directory Replication Service (ADRS) from a non machine account to request credentials.
status: experimental
date: 2019/07/26
modified: 2020/08/23
author: Roberto Rodriguez @Cyb3rWard0g
references:
- https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-180815210510.html
tags:
- attack.credential_access
- attack.t1003 # an old one
- attack.t1003.006
logsource:
product: windows
service: security
detection:
selection:
EventID: 4662
AccessMask: '0x100'
Properties|contains:
- '1131f6aa-9c07-11d1-f79f-00c04fc2dcd2'
- '1131f6ad-9c07-11d1-f79f-00c04fc2dcd2'
- '89e95b76-444d-4c62-991a-0facbeda640c'
filter:
- SubjectUserName|endswith: '$'
- SubjectUserName|startswith: 'MSOL_' #https://docs.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-accounts-permissions#ad-ds-connector-account
condition: selection and not filter
fields:
- ComputerName
- SubjectDomainName
- SubjectUserName
falsepositives:
- Unknown
level: critical
Reference in New Issue View Git Blame Copy Permalink