mirror of
https://github.com/valitydev/SigmaHQ.git
synced 2024-11-07 09:48:58 +00:00
26 lines
959 B
YAML
26 lines
959 B
YAML
title: Reconnaissance Activity
|
|
status: experimental
|
|
description: 'Detects activity as "net user administrator /domain" and "net group domain admins /domain"'
|
|
references:
|
|
- https://findingbad.blogspot.de/2017/01/hunting-what-does-it-look-like.html
|
|
author: Florian Roth (rule), Jack Croock (method)
|
|
logsource:
|
|
product: windows
|
|
service: security
|
|
description: The volume of Event ID 4661 ist high on Domain Controllers and therefore "Audit SAM" and "Audit Kernel Object" advanced audit policy settings are not configured in the recommandations for server systems
|
|
detection:
|
|
selection:
|
|
- EventID: 4661
|
|
ObjectType: 'SAM_USER'
|
|
ObjectName: 'S-1-5-21-*-500'
|
|
AccessMask: '0x2d'
|
|
- EventID: 4661
|
|
ObjectType: 'SAM_GROUP'
|
|
ObjectName: 'S-1-5-21-*-512'
|
|
AccessMask: '0x2d'
|
|
condition: selection
|
|
falsepositives:
|
|
- Administrator activity
|
|
- Penetration tests
|
|
level: high
|