Rules Contributing to Suspicious Windows Active Directory Operation Alerts
The following rules are used to identify suspicious activity with Windows Active Directory Operation. Any one or more of these will trigger Suspicious Windows Active Directory Operation Alert. Details for each rule can be viewed by clicking the More Details link in the description.
Title |
Description |
||||||||
---|---|---|---|---|---|---|---|---|---|
DPAPI Domain Backup Key Extraction |
Detects tools extracting LSA secret DPAPI domain backup key from Domain Controllers More details
Rule IDQuery{'selection': {'EventID': 4662, 'ObjectType': 'SecretObject', 'AccessMask': '0x2', 'ObjectName|contains': 'BCKUPKEY'}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,4ac1f50b-3bd0-4968-902d-868b4647937e Author: Roberto Rodriguez @Cyb3rWard0g Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
WMI Persistence - Security |
Detects suspicious WMI event filter and command line event consumer based on WMI and Security Logs. More details
Rule IDQuery{'selection': {'EventID': 4662, 'ObjectType': 'WMI Namespace', 'ObjectName|contains': 'subscription'}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,f033f3f3-fd24-4995-97d8-a3bb17550a88 Author: Florian Roth (Nextron Systems), Gleb Sukhodolskiy, Timur Zinniatullin oscd.community Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
AD Object WriteDAC Access |
Detects WRITE_DAC access to a domain object More details
Rule IDQuery{'selection': {'EventID': 4662, 'ObjectServer': 'DS', 'AccessMask': '0x40000', 'ObjectType': ['19195a5b-6da0-11d0-afd3-00c04fd930c9', 'domainDNS']}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,028c7842-4243-41cd-be6f-12f3cf1a26c7 Author: Roberto Rodriguez @Cyb3rWard0g Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|
||||||||
Access to a Sensitive LDAP Attribute |
Identify access to sensitive Active Directory object attributes that contains credentials and decryption keys such as unixUserPassword, ms-PKI-AccountCredentials and msPKI-CredentialRoamingTokens. More details
Rule IDQuery{'selection1': {'EventID': 4662}, 'selection2': {'SubjectUserSid': 'S-1-5-18'}, 'selection3': {'Properties': ['*612cb747-c0e8-4f92-9221-fdd5f15b550d*', '*b8dfa744-31dc-4ef1-ac7c-84baf7ef9da7*', '*b3f93023-9239-4f7c-b99c-6745d87adbc2*', '*b7ff5a38-0818-42b0-8110-d3d154c97f24*']}, 'selection4': {'AccessMask': ['0x0', '0x100']}, 'condition': 'selection1 and (not selection2) and selection3 and (not selection4)'} Log SourceStellar Cyber Windows Server Sensor configured. Rule SourceDeveloped internally by Stellar Cyber Tactics, Techniques, and ProceduresReferences
N/A
Additional Information
|