Detectionmediumtest

Potential AD User Enumeration From Non-Machine Account

Detects read access to a domain user from a non-machine account

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Maxime ThiebautCreated Mon Mar 30Updated Tue Nov 08ab6bffca-beff-4baa-af11-6733f296d57awindows

Log Source

Windowssecurity

ProductWindows← raw: windows

Servicesecurity← raw: security

Definition

Requirements: The "Read all properties" permission on the user object needs to be audited for the "Everyone" principal

Detection Logic

detection:
    selection:
        EventID: 4662
        # Using contains as the data commonly is structured as "%{bf967aba-0de6-11d0-a285-00aa003049e2}"
        # The user class (https://learn.microsoft.com/en-us/windows/win32/adschema/c-user)
        ObjectType|contains: 'bf967aba-0de6-11d0-a285-00aa003049e2'
        AccessMask|endswith:
            # Note: Since the Access Mask can have more than once permission we need to add all permutations that include the READ property
            - '1?' # This covers all access masks that are 1 bytes or shorter and the "Read Property" itself
            - '3?' # Read Property + Write Property
            - '4?' # Read Property + Delete Tree
            - '7?' # Read Property + Write Property + Delete Tree
            - '9?' # Read Property + List Object
            - 'B?' # Read Property + Write Property + List Object
            - 'D?' # Read Property + Delete Tree + List Object
            - 'F?' # Covers usage of all possible 2 bytes permissions with any or none of the single byte permissions
    filter_main_machine_accounts:
        SubjectUserName|endswith: '$' # Exclude machine accounts
    filter_main_msql:
        SubjectUserName|startswith: 'MSOL_' # https://learn.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-accounts-permissions#ad-ds-connector-account
    condition: selection and not 1 of filter_main_*