Tessa Georgen
60b8e9b70f
- update: update MITRE tags for multiple rules --------- Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com>
36 lines
1.2 KiB
YAML
36 lines
1.2 KiB
YAML
title: User with Privileges Logon
|
|
id: 94309181-d345-4cbf-b5fe-061769bdf9cb
|
|
status: experimental
|
|
description: Detects logon with "Special groups" and "Special Privileges" can be thought of as Administrator groups or privileges.
|
|
references:
|
|
- https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md
|
|
- https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4672
|
|
- https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4964
|
|
author: frack113
|
|
date: 2022/10/14
|
|
modified: 2022/10/22
|
|
tags:
|
|
- attack.defense_evasion
|
|
- attack.lateral_movement
|
|
- attack.credential_access
|
|
- attack.t1558
|
|
- attack.t1649
|
|
- attack.t1550
|
|
logsource:
|
|
service: security
|
|
product: windows
|
|
detection:
|
|
selection:
|
|
EventID:
|
|
- 4672
|
|
- 4964
|
|
filter:
|
|
SubjectUserSid: S-1-5-18
|
|
# Level can be upgrade to medium with a filter
|
|
# filter_valid_account:
|
|
# SubjectUserName: set valid internal naming pattern or a list a valid account
|
|
condition: selection and not filter
|
|
falsepositives:
|
|
- Unknown
|
|
level: low
|