35 lines
1.1 KiB
YAML
35 lines
1.1 KiB
YAML
title: Enumeration via the Global Catalog
|
|
author: Chakib Gzenayi (@Chak092), Hosni Mribah
|
|
date: 2020/05/11
|
|
description: Detects enumeration of the global catalog (that can be performed using
|
|
BloodHound or others AD reconnaissance tools). Adjust Threshold according to domain
|
|
width.
|
|
detection:
|
|
SELECTION_1:
|
|
EventID: 5156
|
|
SELECTION_2:
|
|
DestinationPort: 3268
|
|
SELECTION_3:
|
|
DestinationPort: 3269
|
|
condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3))| count() by SourceAddress
|
|
> 2000
|
|
falsepositives:
|
|
- Exclude known DCs.
|
|
id: 619b020f-0fd7-4f23-87db-3f51ef837a34
|
|
level: medium
|
|
logsource:
|
|
definition: The advanced audit policy setting "Windows Filtering Platform > Filtering
|
|
Platform Connection" must be configured for Success
|
|
product: windows
|
|
service: security
|
|
modified: 2021/06/01
|
|
references:
|
|
- https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5156
|
|
tags:
|
|
- attack.discovery
|
|
- attack.t1087
|
|
- attack.t1087.002
|
|
yml_filename: win_global_catalog_enumeration.yml
|
|
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/builtin
|
|
|