Reconnaissance Activity
Detects activity as "net user administrator /domain" and "net group domain admins /domain"
Sigma rule (View on GitHub)
1title: Reconnaissance Activity
2id: 968eef52-9cff-4454-8992-1e74b9cbad6c
3status: test
4description: Detects activity as "net user administrator /domain" and "net group domain admins /domain"
5references:
6 - https://findingbad.blogspot.de/2017/01/hunting-what-does-it-look-like.html
7author: Florian Roth (Nextron Systems), Jack Croock (method), Jonhnathan Ribeiro (improvements), oscd.community
8date: 2017-03-07
9modified: 2022-08-22
10tags:
11 - attack.discovery
12 - attack.t1087.002
13 - attack.t1069.002
14 - attack.s0039
15logsource:
16 product: windows
17 service: security
18 definition: The volume of Event ID 4661 is high on Domain Controllers and therefore "Audit SAM" and "Audit Kernel Object" advanced audit policy settings are not configured in the recommendations for server systems
19detection:
20 selection:
21 EventID: 4661
22 AccessMask: '0x2d'
23 ObjectType:
24 - 'SAM_USER'
25 - 'SAM_GROUP'
26 ObjectName|startswith: 'S-1-5-21-'
27 ObjectName|endswith:
28 - '-500'
29 - '-512'
30 condition: selection
31falsepositives:
32 - Administrator activity
33level: high
References
Related rules
- BloodHound Collection Files
- HackTool - Bloodhound/Sharphound Execution
- Malicious PowerShell Commandlets - PoshModule
- Malicious PowerShell Commandlets - ScriptBlock
- PUA - AdFind Suspicious Execution