Potential AD User Enumeration From Non-Machine Account

Detects read access to a domain user from a non-machine account

Sigma rule (View on GitHub)

 1title: Potential AD User Enumeration From Non-Machine Account
 2id: ab6bffca-beff-4baa-af11-6733f296d57a
 3status: test
 4description: Detects read access to a domain user from a non-machine account
 5references:
 6    - https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf
 7    - http://www.stuffithoughtiknew.com/2019/02/detecting-bloodhound.html
 8    - https://learn.microsoft.com/en-us/windows/win32/adschema/attributes-all # For further investigation of the accessed properties
 9    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4662
10author: Maxime Thiebaut (@0xThiebaut)
11date: 2020-03-30
12modified: 2022-11-08
13tags:
14    - attack.discovery
15    - attack.t1087.002
16logsource:
17    product: windows
18    service: security
19    definition: 'Requirements: The "Read all properties" permission on the user object needs to be audited for the "Everyone" principal'
20detection:
21    selection:
22        EventID: 4662
23        # Using contains as the data commonly is structured as "%{bf967aba-0de6-11d0-a285-00aa003049e2}"
24        # The user class (https://learn.microsoft.com/en-us/windows/win32/adschema/c-user)
25        ObjectType|contains: 'bf967aba-0de6-11d0-a285-00aa003049e2'
26        AccessMask|endswith:
27            # Note: Since the Access Mask can have more than once permission we need to add all permutations that include the READ property
28            - '1?' # This covers all access masks that are 1 bytes or shorter and the "Read Property" itself
29            - '3?' # Read Property + Write Property
30            - '4?' # Read Property + Delete Tree
31            - '7?' # Read Property + Write Property + Delete Tree
32            - '9?' # Read Property + List Object
33            - 'B?' # Read Property + Write Property + List Object
34            - 'D?' # Read Property + Delete Tree + List Object
35            - 'F?' # Covers usage of all possible 2 bytes permissions with any or none of the single byte permissions
36    filter_main_machine_accounts:
37        SubjectUserName|endswith: '$' # Exclude machine accounts
38    filter_main_msql:
39        SubjectUserName|startswith: 'MSOL_' # https://learn.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-accounts-permissions#ad-ds-connector-account
40    condition: selection and not 1 of filter_main_*
41falsepositives:
42    - Administrators configuring new users.
43level: medium

References

Related rules

to-top