CSEC_PUBLIC/hayabusa
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
480f2d26c05bbc88f5d36775dedede90f10e14ea
hayabusa/rules/Sigma/win_ad_find_discovery.yml
T
Tanaka Zakku 50aebce32e Added Sigma Rules
2021-11-14 11:00:56 +09:00

69 lines
2.2 KiB
YAML
Raw Blame History

title: AdFind Usage Detection
author: Janantha Marasinghe (https://github.com/blueteam0ps)
date: 2021/02/02
description: AdFind continues to be seen across majority of breaches. It is used to
domain trust discovery to plan out subsequent steps in the attack chain.
detection:
SELECTION_1:
EventID: 1
SELECTION_10:
CommandLine: '*name="Domain Admins"*'
SELECTION_11:
CommandLine: '*-sc u:*'
SELECTION_12:
CommandLine: '*domainncs*'
SELECTION_13:
CommandLine: '*dompol*'
SELECTION_14:
CommandLine: '* oudmp *'
SELECTION_15:
CommandLine: '*subnetdmp*'
SELECTION_16:
CommandLine: '*gpodmp*'
SELECTION_17:
CommandLine: '*fspdmp*'
SELECTION_18:
CommandLine: '*users_noexpire*'
SELECTION_19:
CommandLine: '*computers_active*'
SELECTION_2:
CommandLine: '*domainlist*'
SELECTION_3:
CommandLine: '*trustdmp*'
SELECTION_4:
CommandLine: '*dcmodes*'
SELECTION_5:
CommandLine: '*adinfo*'
SELECTION_6:
CommandLine: '* dclist *'
SELECTION_7:
CommandLine: '*computer_pwdnotreqd*'
SELECTION_8:
CommandLine: '*objectcategory=*'
SELECTION_9:
CommandLine: '*-subnets -f*'
condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3 or SELECTION_4 or SELECTION_5
or SELECTION_6 or SELECTION_7 or SELECTION_8 or SELECTION_9 or SELECTION_10
or SELECTION_11 or SELECTION_12 or SELECTION_13 or SELECTION_14 or SELECTION_15
or SELECTION_16 or SELECTION_17 or SELECTION_18 or SELECTION_19))
falsepositives:
- Admin activity
id: 9a132afa-654e-11eb-ae93-0242ac130002
level: high
logsource:
category: process_creation
product: windows
modified: 2021/02/02
references:
- https://thedfirreport.com/2020/05/08/adfind-recon/
- https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/
- https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/
status: experimental
tags:
- attack.discovery
- attack.t1482
- attack.t1018
yml_filename: win_ad_find_discovery.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
Reference in New Issue View Git Blame Copy Permalink