Nasreddine Bencherchali
be359ef3f2
Create Release / Create Release (push) Has been cancelled
fix: Kerberos Manipulation - Update field to use Status instead of incorrect "FailureCode" fix: Metasploit SMB Authentication - Remove unnecessary field fix: Service Installation in Suspicious Folder - Update FP filter update: Malicious PowerShell Commandlets - ProcessCreation - "Start-Dnscat2" remove: Dnscat Execution - Deprecated in favour of an integration in the "Malicious PowerShell Cmdlet" type of rules remove: SAM Dump to AppData update: Critical Hive In Suspicious Location Access Bits Cleared - Enhance metadata and logic update: Malicious PowerShell Commandlets - PoshModule - "Start-Dnscat2" update: Malicious PowerShell Commandlets - ScriptBlock - "Start-Dnscat2" update: Malicious PowerShell Scripts - FileCreation - Add "dnscat2.ps1" update: Malicious PowerShell Scripts - PoshModule - Add "dnscat2.ps1" update: Monitoring For Persistence Via BITS - Use "Image" and "OriginalFileName" fields instead of CLI only update: New or Renamed User Account with '$' Character - Reduced level to "medium" update: New Process Created Via Taskmgr.EXE - Added full paths to the filtered binaries to decrease false negatives update: Potential Dropper Script Execution Via WScript/CScript - Re-wrote the logic by removing the paths "C:\Users" and "C:\ProgramData". As these are very common and will generate high FP rate. Instead switched the paths to a more robust list and extended the list of extension covered. Also reduced the level to "medium" update: Potential Fake Instance Of Hxtsr.EXE Executed - Remove "C:" prefix from detection logic update: Prefetch File Deleted - Update selection to remove 'C:' prefix update: Sensitive File Access Via Volume Shadow Copy Backup - Made the rule more generic by updating the title and removing the IOC from conti. (will be added in a dedicated rule) update: Shell Process Spawned by Java.EXE - Add "bash.exe" update: Suspicious PowerShell Download - Powershell Script - Add "DownloadFileAsync" and "DownloadStringAsync" functions update: Suspicious Processes Spawned by Java.EXE - Remove "bash.exe" as its doesn't fit the logic update: Sysmon Application Crashed - Add 32bit version of sysmon binary update: Tap Driver Installation - Security - Reduce level to "low" update: Write Protect For Storage Disabled - Remove "storagedevicepolicies" as the string "storage" already covers it --------- Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
25 lines
747 B
YAML
25 lines
747 B
YAML
title: Local User Creation
|
|
id: 66b6be3d-55d0-4f47-9855-d69df21740ea
|
|
status: test
|
|
description: |
|
|
Detects local user creation on Windows servers, which shouldn't happen in an Active Directory environment. Apply this Sigma Use Case on your Windows server logs and not on your DC logs.
|
|
references:
|
|
- https://patrick-bareiss.com/detecting-local-user-creation-in-ad-with-sigma/
|
|
author: Patrick Bareiss
|
|
date: 2019/04/18
|
|
modified: 2021/01/17
|
|
tags:
|
|
- attack.persistence
|
|
- attack.t1136.001
|
|
logsource:
|
|
product: windows
|
|
service: security
|
|
detection:
|
|
selection:
|
|
EventID: 4720
|
|
condition: selection
|
|
falsepositives:
|
|
- Domain Controller Logs
|
|
- Local accounts managed by privileged account management tools
|
|
level: low
|