Reconnaissance Activity
Detects activity as "net user administrator /domain" and "net group domain admins /domain"
Sigma rule (View on GitHub)
1title: Reconnaissance Activity
2id: 968eef52-9cff-4454-8992-1e74b9cbad6c
3status: test
4description: Detects activity as "net user administrator /domain" and "net group domain admins /domain"
5references:
6 - https://findingbad.blogspot.de/2017/01/hunting-what-does-it-look-like.html
7author: Florian Roth (Nextron Systems), Jack Croock (method), Jonhnathan Ribeiro (improvements), oscd.community
8date: 2017/03/07
9modified: 2022/08/22
10tags:
11 - attack.discovery
12 - attack.t1087.002
13 - attack.t1069.002
14 - attack.s0039
15logsource:
16 product: windows
17 service: security
18 definition: The volume of Event ID 4661 is high on Domain Controllers and therefore "Audit SAM" and "Audit Kernel Object" advanced audit policy settings are not configured in the recommendations for server systems
19detection:
20 selection:
21 EventID: 4661
22 AccessMask: '0x2d'
23 ObjectType:
24 - 'SAM_USER'
25 - 'SAM_GROUP'
26 ObjectName|startswith: 'S-1-5-21-'
27 ObjectName|endswith:
28 - '-500'
29 - '-512'
30 condition: selection
31falsepositives:
32 - Administrator activity
33level: high
References
-
It ’ s been a while since I ’ ve posted anything and wanted to get this out. Partly because of an article that I read that talks about how...
Read More
Related rules
- Hacktool Ruler
- Renamed Whoami Execution
- WhoAmI as Parameter
- Source Code Enumeration Detection by Keyword
- DirectorySearcher Powershell Exploitation