AD Privileged Users or Groups Reconnaissance
Last updated on:
In this page
About the rule
Rule Type
Standard
Rule Description
Detect priv users or groups recon based on 4661 eventid and known privileged users or groups SIDs
Severity
Trouble
Rule Requirement
Criteria
Action1: actionname = "Object Handle Requested" AND OBJECTTYPE = "SAM_USER,SAM_GROUP" AND (OBJECTNAME endswith "-512,-502,-500,-505,-519,-520,-544,-551,-555" OR OBJECTNAME contains "admin") AND USERNAME notendswith "$" select Action1.HOSTNAME,Action1.MESSAGE,Action1.USERNAME,Action1.DOMAIN,Action1.OBJECTNAME,Action1.OBJECTTYPE,Action1.PROCESSNAME
Detection
Execution Mode
realtime
Log Sources
Active Directory
Author
Samir Bousseaden
