Phoenix
Sigma IntelligenceBeta
Phoenix Studio

Convert indexed Sigma rules into analyst-ready detections.

This studio is built around Phoenix's own rule corpus, not a blank editor. Search by title or rule id, choose a live sigma-cli backend, then reveal pipelines only when you actually need them.

Browse RulesExplore Ecosystem

Indexed Rules

3,707

Ready to search

Backends

17

Live from sigconverter.io

CLI Versions

10

Newest: 2.0.2

Translation Workspace

Shape the rule before it leaves Phoenix

Tune Translation

Active Rule

Potential AD User Enumeration From Non-Machine Account

Target Profile

Splunk

Splunk SPL & tstats data model queries

Format Mode

Default

Plain SPL queries

Conversion Output

Potential AD User Enumeration From Non-Machine Account

Using Splunk · Default · sigma-cli 2.0.2

Translation controls

Adjust the rule on the left, then regenerate when you want a fresh backend-native query.

BackendSplunkFormatDefaultVersion2.0.2
title: Potential AD User Enumeration From Non-Machine Account
id: ab6bffca-beff-4baa-af11-6733f296d57a
status: test
description: Detects read access to a domain user from a non-machine account
references:
    - https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf
    - http://www.stuffithoughtiknew.com/2019/02/detecting-bloodhound.html
    - https://learn.microsoft.com/en-us/windows/win32/adschema/attributes-all # For further investigation of the accessed properties
    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4662
author: Maxime Thiebaut (@0xThiebaut)
date: 2020-03-30
modified: 2022-11-08
tags:
    - attack.discovery
    - attack.t1087.002
logsource:
    product: windows
    service: security
    definition: 'Requirements: The "Read all properties" permission on the user object needs to be audited for the "Everyone" principal'
detection:
    selection:
        EventID: 4662
        # Using contains as the data commonly is structured as "%{bf967aba-0de6-11d0-a285-00aa003049e2}"
        # The user class (https://learn.microsoft.com/en-us/windows/win32/adschema/c-user)
        ObjectType|contains: 'bf967aba-0de6-11d0-a285-00aa003049e2'
        AccessMask|endswith:
            # Note: Since the Access Mask can have more than once permission we need to add all permutations that include the READ property
            - '1?' # This covers all access masks that are 1 bytes or shorter and the "Read Property" itself
            - '3?' # Read Property + Write Property
            - '4?' # Read Property + Delete Tree
            - '7?' # Read Property + Write Property + Delete Tree
            - '9?' # Read Property + List Object
            - 'B?' # Read Property + Write Property + List Object
            - 'D?' # Read Property + Delete Tree + List Object
            - 'F?' # Covers usage of all possible 2 bytes permissions with any or none of the single byte permissions
    filter_main_machine_accounts:
        SubjectUserName|endswith: '$' # Exclude machine accounts
    filter_main_msql:
        SubjectUserName|startswith: 'MSOL_' # https://learn.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-accounts-permissions#ad-ds-connector-account
    condition: selection and not 1 of filter_main_*
falsepositives:
    - Administrators configuring new users.
level: medium

CLI command

Copy the exact command to reproduce this translation locally.

sigma convert --without-pipeline -t splunk -f default rules/windows/builtin/security/win_security_ad_user_enumeration.yml