Group Managed Service Account Password Dump Detection

Last updated on:

About the rule

Rule Type

Standard

Rule Description

Detects scenarios where an attacker attempts to dump Group Managed Services account (GMSA) passwords stored on writable domain controllers.

Severity

Trouble

Rule Requirement

Criteria

Action1: actionname = "Operation Performed on Object" AND (OBJECTSERVER = "DS" AND OBJECTTYPE contains "aa02fd41-17e0-4f18-8687-b2239649736b" AND SECURITYID notstartswith "S-1-5-18") select Action1.HOSTNAME,Action1.MESSAGE,Action1.USERNAME,Action1.DOMAIN,Action1.ACCESSES,Action1.OBJECTNAME,Action1.OBJECTTYPE,Action1.ACCESSMASK,Action1.OBJECTSERVER,Action1.PROPERTIES,Action1.SECURITYID

Detection

Execution Mode

realtime

Log Sources

Active Directory