SigmaHQ/rules/windows/builtin/win_susp_net_recon_activity.yml

36 lines
1.2 KiB
YAML

title: Reconnaissance Activity
id: 968eef52-9cff-4454-8992-1e74b9cbad6c
status: experimental
description: Detects activity as "net user administrator /domain" and "net group domain admins /domain"
references:
- https://findingbad.blogspot.de/2017/01/hunting-what-does-it-look-like.html
author: Florian Roth (rule), Jack Croock (method)
date: 2017/03/07
modified: 2020/08/23
tags:
- attack.discovery
- attack.t1087 # an old one
- attack.t1087.002
- attack.t1069 # an old one
- attack.t1069.002
- attack.s0039
logsource:
product: windows
service: security
definition: The volume of Event ID 4661 is high on Domain Controllers and therefore "Audit SAM" and "Audit Kernel Object" advanced audit policy settings are not configured in the recommendations for server systems
detection:
selection:
- EventID: 4661
ObjectType: 'SAM_USER'
ObjectName: 'S-1-5-21-*-500'
AccessMask: '0x2d'
- EventID: 4661
ObjectType: 'SAM_GROUP'
ObjectName: 'S-1-5-21-*-512'
AccessMask: '0x2d'
condition: selection
falsepositives:
- Administrator activity
- Penetration tests
level: high