Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhightest

Reconnaissance Activity

Detects activity as "net user administrator /domain" and "net group domain admins /domain"

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Florian Roth (Nextron Systems), Jack Croock (method), Jonhnathan Ribeiro (improvements), oscd.communityCreated Tue Mar 07Updated Mon Aug 22968eef52-9cff-4454-8992-1e74b9cbad6cwindows
Log Source
Windowssecurity
ProductWindows← raw: windows
Servicesecurity← raw: security

Definition

The volume of Event ID 4661 is high on Domain Controllers and therefore "Audit SAM" and "Audit Kernel Object" advanced audit policy settings are not configured in the recommendations for server systems

Detection Logic
Detection Logic1 selector
detection:
    selection:
        EventID: 4661
        AccessMask: '0x2d'
        ObjectType:
            - 'SAM_USER'
            - 'SAM_GROUP'
        ObjectName|startswith: 'S-1-5-21-'
        ObjectName|endswith:
            - '-500'
            - '-512'
    condition: selection
False Positives

Administrator activity

References
1
Resolving title…
findingbad.blogspot.de
MITRE ATT&CK
Rule Metadata
Rule ID
968eef52-9cff-4454-8992-1e74b9cbad6c
Status
test
Level
high
Type
Detection
Created
Tue Mar 07
Modified
Mon Aug 22
Author
Florian Roth (Nextron Systems), Jack Croock (method), Jonhnathan Ribeiro (improvements), oscd.community
Path
rules/windows/builtin/security/win_security_susp_net_recon_activity.yml
Raw Tags
attack.discoveryattack.t1087.002attack.t1069.002attack.s0039
View on GitHub