title: AD User Enumeration
ruletype: Sigma
author: Maxime Thiebaut (@0xThiebaut)
date: 2020/03/30
description: Detects access to a domain user from a non-machine account
detection:
  SELECTION_1:
    EventID: 4662
  SELECTION_2:
    ObjectType: '*bf967aba-0de6-11d0-a285-00aa003049e2*'
  SELECTION_3:
    SubjectUserName: '*$'
  SELECTION_4:
    SubjectUserName: MSOL_*
  condition: ((SELECTION_1 and SELECTION_2) and  not (SELECTION_3 or SELECTION_4))
falsepositives:
- Administrators configuring new users.
id: ab6bffca-beff-4baa-af11-6733f296d57a
level: medium
logsource:
  definition: Requires the "Read all properties" permission on the user object to
    be audited for the "Everyone" principal
  product: windows
  service: security
modified: 2021/08/09
references:
- https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf
- http://www.stuffithoughtiknew.com/2019/02/detecting-bloodhound.html
- https://docs.microsoft.com/en-us/windows/win32/adschema/attributes-all
status: experimental
tags:
- attack.discovery
- attack.t1087
- attack.t1087.002