From 5d85bbba56d59fa21339e6bd87fef91b8ce61745 Mon Sep 17 00:00:00 2001
From: Jonhnathan <jonhnathancesar@gmail.com>
Date: Thu, 19 Nov 2020 22:37:13 -0300
Subject: [PATCH] Improve detection logic

---
 .../builtin/win_susp_net_recon_activity.yml        | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/rules/windows/builtin/win_susp_net_recon_activity.yml b/rules/windows/builtin/win_susp_net_recon_activity.yml
index c6a7653af..c73d5b2ed 100644
--- a/rules/windows/builtin/win_susp_net_recon_activity.yml
+++ b/rules/windows/builtin/win_susp_net_recon_activity.yml
@@ -4,7 +4,7 @@ status: experimental
 description: Detects activity as "net user administrator /domain" and "net group domain admins /domain"
 references:
     - https://findingbad.blogspot.de/2017/01/hunting-what-does-it-look-like.html
-author: Florian Roth (rule), Jack Croock (method)
+author: Florian Roth (rule), Jack Croock (method), Jonhnathan Ribeiro, oscd.community
 date: 2017/03/07
 modified: 2020/08/23
 tags:
@@ -22,13 +22,13 @@ detection:
     selection:
         - EventID: 4661
           ObjectType: 'SAM_USER'
-          ObjectName: 'S-1-5-21-*-500'
+          ObjectName|startswith: 'S-1-5-21-'
           AccessMask: '0x2d'
-        - EventID: 4661
-          ObjectType: 'SAM_GROUP'
-          ObjectName: 'S-1-5-21-*-512'
-          AccessMask: '0x2d'
-    condition: selection
+    selection2:
+          ObjectName|endswith: 
+            - '-500'
+            - '-512'
+    condition: selection and selection2
 falsepositives:
     - Administrator activity
     - Penetration tests