Group Managed Service Account Password Dump Detection
Last updated on:
In this page
About the rule
Rule Type
Standard
Rule Description
Detects scenarios where an attacker attempts to dump Group Managed Services account (GMSA) passwords stored on writable domain controllers.
Severity
Trouble
Rule Requirement
Criteria
Action1:
actionname = "Operation Performed on Object" AND (OBJECTSERVER = "DS" AND OBJECTTYPE contains "aa02fd41-17e0-4f18-8687-b2239649736b" AND SECURITYID notstartswith "S-1-5-18")
select Action1.HOSTNAME,Action1.MESSAGE,Action1.USERNAME,Action1.DOMAIN,Action1.ACCESSES,Action1.OBJECTNAME,Action1.OBJECTTYPE,Action1.ACCESSMASK,Action1.OBJECTSERVER,Action1.PROPERTIES,Action1.SECURITYID
Detection
Execution Mode
realtime
Log Sources
Active Directory


