Merge pull request #3721 from qasimqlf/patch-13

Minor Fix
2022-11-22 17:10:09 +01:00
parent 11d8bc1dbe ed54bf44a5
commit 4c0e1e0043
1 changed files with 8 additions and 6 deletions
@@ -4,7 +4,7 @@ status: test
 description: Detects possible bypass EDR and SIEM via abnormal user account name.
 author: Ilyas Ochkov, oscd.community
 date: 2019/10/25
-modified: 2022/10/09
+modified: 2022/11/22
 tags:
    - attack.defense_evasion
    - attack.t1036
@@ -12,16 +12,18 @@ logsource:
    product: windows
    service: security
 detection:
-    selection:
-        EventID:
-            - 4720 # create user
-            - 4781 # rename user
+    selection1:
+        EventID: 4720 # create user
        SamAccountName|contains: '$'
-    condition: selection
+    selection2:
+        EventID: 4781 # rename user
+        NewTargetUserName|contains: '$'
+    condition: 1 of selection*
 fields:
    - EventID
    - SamAccountName
    - SubjectUserName
+    - NewTargetUserName
 falsepositives:
    - Unknown
 level: high