AD Privileged Users or Groups Reconnaissance
Detect priv users or groups recon based on 4661 eventid and known privileged users or groups SIDs
Sigma rule (View on GitHub)
1title: AD Privileged Users or Groups Reconnaissance
2id: 35ba1d85-724d-42a3-889f-2e2362bcaf23
3status: test
4description: Detect priv users or groups recon based on 4661 eventid and known privileged users or groups SIDs
5references:
6 - https://web.archive.org/web/20230329163438/https://blog.menasec.net/2019/02/threat-hunting-5-detecting-enumeration.html
7author: Samir Bousseaden
8date: 2019-04-03
9modified: 2022-07-13
10tags:
11 - attack.discovery
12 - attack.t1087.002
13logsource:
14 product: windows
15 service: security
16 definition: 'Requirements: enable Object Access SAM on your Domain Controllers'
17detection:
18 selection:
19 EventID: 4661
20 ObjectType:
21 - 'SAM_USER'
22 - 'SAM_GROUP'
23 selection_object:
24 - ObjectName|endswith:
25 - '-512'
26 - '-502'
27 - '-500'
28 - '-505'
29 - '-519'
30 - '-520'
31 - '-544'
32 - '-551'
33 - '-555'
34 - ObjectName|contains: 'admin'
35 filter:
36 SubjectUserName|endswith: '$'
37 condition: selection and selection_object and not filter
38falsepositives:
39 - If source account name is not an admin then its super suspicious
40level: high
References
-
Detecting an attacker during the reconnaissance phase is very important, because if he\she is at this stage, it means she\he already bypasse...
Read More
Related rules
- Active Directory Computers Enumeration With Get-AdComputer
- Active Directory Structure Export Via Csvde.EXE
- BloodHound Collection Files
- HackTool - Bloodhound/Sharphound Execution
- Malicious PowerShell Commandlets - PoshModule