← Back to Explore
sigmahighHunting
AD Privileged Users or Groups Reconnaissance
Detect priv users or groups recon based on 4661 eventid and known privileged users or groups SIDs
Detection Query
selection:
EventID: 4661
ObjectType:
- SAM_USER
- SAM_GROUP
selection_object:
- ObjectName|endswith:
- "-512"
- "-502"
- "-500"
- "-505"
- "-519"
- "-520"
- "-544"
- "-551"
- "-555"
- ObjectName|contains: admin
filter:
SubjectUserName|endswith: $
condition: selection and selection_object and not filter
Author
Samir Bousseaden
Created
2019-04-03
Data Sources
windowssecurity
Platforms
windows
Tags
attack.discoveryattack.t1087.002
Raw Content
title: AD Privileged Users or Groups Reconnaissance
id: 35ba1d85-724d-42a3-889f-2e2362bcaf23
status: test
description: Detect priv users or groups recon based on 4661 eventid and known privileged users or groups SIDs
references:
- https://web.archive.org/web/20230329163438/https://blog.menasec.net/2019/02/threat-hunting-5-detecting-enumeration.html
author: Samir Bousseaden
date: 2019-04-03
modified: 2022-07-13
tags:
- attack.discovery
- attack.t1087.002
logsource:
product: windows
service: security
definition: 'Requirements: enable Object Access SAM on your Domain Controllers'
detection:
selection:
EventID: 4661
ObjectType:
- 'SAM_USER'
- 'SAM_GROUP'
selection_object:
- ObjectName|endswith:
- '-512'
- '-502'
- '-500'
- '-505'
- '-519'
- '-520'
- '-544'
- '-551'
- '-555'
- ObjectName|contains: 'admin'
filter:
SubjectUserName|endswith: '$'
condition: selection and selection_object and not filter
falsepositives:
- If source account name is not an admin then its super suspicious
level: high