Detectionmediumtest

Password Policy Enumerated

Detects when the password policy is enumerated.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Zach MathisCreated Fri May 1912ba6a38-adb3-4d6b-91ba-a7fb248e3199windows

Log Source

Windowssecurity

ProductWindows← raw: windows

Servicesecurity← raw: security

Definition

dfd8c0f4-e6ad-4e07-b91b-f2fca0ddef64

Detection Logic

detection:
    selection:
        EventID: 4661 # A handle to an object was requested.
        AccessList|contains: '%%5392' # ReadPasswordParameters
        ObjectServer: 'Security Account Manager'
    condition: selection

References

MITRE ATT&CK

Tactics

TA0007 · Discovery

Techniques

T1201 · Password Policy Discovery

Rule Metadata

Rule ID

12ba6a38-adb3-4d6b-91ba-a7fb248e3199

Status

test

Level

medium

Type

Detection

Created

Fri May 19

Author

Zach Mathis

Path

rules/windows/builtin/security/win_security_password_policy_enumerated.yml

Raw Tags

attack.discoveryattack.t1201

View on GitHub