37 lines
1.2 KiB
YAML
37 lines
1.2 KiB
YAML
title: AD User Enumeration
|
|
author: Maxime Thiebaut (@0xThiebaut)
|
|
date: 2020/03/30
|
|
description: Detects access to a domain user from a non-machine account
|
|
detection:
|
|
SELECTION_1:
|
|
EventID: 4662
|
|
SELECTION_2:
|
|
ObjectType: '*bf967aba-0de6-11d0-a285-00aa003049e2*'
|
|
SELECTION_3:
|
|
SubjectUserName: '*$'
|
|
SELECTION_4:
|
|
SubjectUserName: MSOL_*
|
|
condition: ((SELECTION_1 and SELECTION_2) and not (SELECTION_3 or SELECTION_4))
|
|
falsepositives:
|
|
- Administrators configuring new users.
|
|
id: ab6bffca-beff-4baa-af11-6733f296d57a
|
|
level: medium
|
|
logsource:
|
|
definition: Requires the "Read all properties" permission on the user object to
|
|
be audited for the "Everyone" principal
|
|
product: windows
|
|
service: security
|
|
modified: 2021/08/09
|
|
references:
|
|
- https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf
|
|
- http://www.stuffithoughtiknew.com/2019/02/detecting-bloodhound.html
|
|
- https://docs.microsoft.com/en-us/windows/win32/adschema/attributes-all
|
|
status: experimental
|
|
tags:
|
|
- attack.discovery
|
|
- attack.t1087
|
|
- attack.t1087.002
|
|
yml_filename: win_ad_user_enumeration.yml
|
|
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
|
|
|