valitydev/atomic-threat-coverage
14
0
Fork 0
mirror of https://github.com/valitydev/atomic-threat-coverage.git synced 2024-11-06 17:45:23 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
8de4b6a7ff
atomic-threat-coverage/detection_rules/win_alert_ad_user_backdoors.yml
yugoslavskiy f79f50bec3 changed directories names
2019-02-12 04:55:11 +01:00

35 lines
1.5 KiB
YAML
Executable File
Raw Blame History

title: Active Directory User Backdoors
description: Detects scenarios where one can control another users or computers account without having to use their credentials.
references:
- https://msdn.microsoft.com/en-us/library/cc220234.aspx
- https://adsecurity.org/?p=3466
- https://www.harmj0y.net/blog/redteaming/another-word-on-delegation/
author: '@neu5ron'
tags:
- attack.t1098
- attack.credential_access
logsource:
product: windows
service: security
definition1: 'Requirements: Audit Policy : Account Management > Audit User Account Management, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Account Management\Audit User Account Management'
definition2: 'Requirements: Audit Policy : DS Access > Audit Directory Service Changes, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\DS Access\Audit Directory Service Changes'
detection:
selection1:
EventID: 4738
filter1:
AllowedToDelegateTo: null
selection2:
EventID: 5136
AttributeLDAPDisplayName: 'msDS-AllowedToDelegateTo'
selection3:
EventID: 5136
ObjectClass: 'user'
AttributeLDAPDisplayName: 'servicePrincipalName'
selection4:
EventID: 5136
AttributeLDAPDisplayName: 'msDS-AllowedToActOnBehalfOfOtherIdentity'
condition: (selection1 and not filter1) or selection2 or selection3 or selection4
falsepositives:
- Unknown
level: high
Reference in New Issue View Git Blame Copy Permalink