Manipulation of User Computer or Group Security Principals Across AD

Adversaries may create a domain account to maintain access to victim systems. Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain..

Sigma rule (View on GitHub)

 1title: Manipulation of User Computer or Group Security Principals Across AD
 2id: b29a93fb-087c-4b5b-a84d-ee3309e69d08
 3status: test
 4description: |
 5    Adversaries may create a domain account to maintain access to victim systems.
 6    Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain..    
 7references:
 8    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1136.002/T1136.002.md#atomic-test-3---create-a-new-domain-account-using-powershell
 9    - https://learn.microsoft.com/en-us/dotnet/api/system.directoryservices.accountmanagement?view=net-8.0
10author: frack113
11date: 2021/12/28
12tags:
13    - attack.persistence
14    - attack.t1136.002
15logsource:
16    product: windows
17    category: ps_script
18    definition: 'Requirements: Script Block Logging must be enabled'
19detection:
20    selection:
21        ScriptBlockText|contains: System.DirectoryServices.AccountManagement
22    condition: selection
23falsepositives:
24    - Legitimate administrative script
25level: medium

References

Related rules

to-top