User with Privileges Logon
Detects logon with "Special groups" and "Special Privileges" can be thought of as Administrator groups or privileges.
Sigma rule (View on GitHub)
1title: User with Privileges Logon
2id: 94309181-d345-4cbf-b5fe-061769bdf9cb
3status: experimental
4description: Detects logon with "Special groups" and "Special Privileges" can be thought of as Administrator groups or privileges.
5references:
6 - https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md
7 - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4672
8 - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4964
9author: frack113
10date: 2022/10/14
11modified: 2022/10/22
12tags:
13 - attack.defense_evasion
14 - attack.lateral_movement
15 - attack.credential_access
16 - attack.t1558
17 - attack.t1649
18 - attack.t1550
19logsource:
20 service: security
21 product: windows
22detection:
23 selection:
24 EventID:
25 - 4672
26 - 4964
27 filter:
28 SubjectUserSid: S-1-5-18
29 # Level can be upgrade to medium with a filter
30 # filter_valid_account:
31 # SubjectUserName: set valid internal naming pattern or a list a valid account
32 condition: selection and not filter
33falsepositives:
34 - Unknown
35level: low
References
-
Documentation and scripts to properly enable Windows event logs. - Yamato-Security/EnableWindowsLogSettings
Read More -
-
Related rules
- Outgoing Logon with New Credentials
- Audit CVE Event
- Suspicious Outbound Kerberos Connection
- Password Provided In Command Line Of Net.EXE
- Replay Attack Detected