Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhightest

AD Privileged Users or Groups Reconnaissance

Detect priv users or groups recon based on 4661 eventid and known privileged users or groups SIDs

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Samir BousseadenCreated Wed Apr 03Updated Wed Jul 1335ba1d85-724d-42a3-889f-2e2362bcaf23windows
Log Source
Windowssecurity
ProductWindows← raw: windows
Servicesecurity← raw: security

Definition

Requirements: enable Object Access SAM on your Domain Controllers

Detection Logic
Detection Logic3 selectors
detection:
    selection:
        EventID: 4661
        ObjectType:
            - 'SAM_USER'
            - 'SAM_GROUP'
    selection_object:
        - ObjectName|endswith:
              - '-512'
              - '-502'
              - '-500'
              - '-505'
              - '-519'
              - '-520'
              - '-544'
              - '-551'
              - '-555'
        - ObjectName|contains: 'admin'
    filter:
        SubjectUserName|endswith: '$'
    condition: selection and selection_object and not filter
False Positives

If source account name is not an admin then its super suspicious

References
1
Resolving title…
web.archive.org
MITRE ATT&CK
Rule Metadata
Rule ID
35ba1d85-724d-42a3-889f-2e2362bcaf23
Status
test
Level
high
Type
Detection
Created
Wed Apr 03
Modified
Wed Jul 13
Author
Samir Bousseaden
Path
rules/windows/builtin/security/win_security_account_discovery.yml
Raw Tags
attack.discoveryattack.t1087.002
View on GitHub