security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
71186c8788b3f85dba122647e8992dcafe29c7e3
sigma-rules/rules/windows/persistence_user_account_creation_event_logs.toml
T
Jonhnathan d017156454 [Rule Tuning] Make Rules Compatible with Windows Forwarded Logs (#2761) 
* [Proposal] [Rule Tuning] Make Intended rules compatible with Windows Forwarded Logs

* Update tests/test_all_rules.py

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

* Update test_all_rules.py

* Update test_all_rules.py

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
2023-05-15 20:31:59 -03:00

60 lines
1.7 KiB
TOML
Raw Blame History

[metadata]
creation_date = "2021/01/04"
integration = ["system", "windows"]
maturity = "development"
updated_date = "2023/04/27"
[rule]
author = ["Skoetting"]
description = """
Identifies attempts to create a Windows User Account. This is sometimes done by attackers to persist or increase access
to a system or domain.
"""
false_positives = [
"""
Legitimate local user creations may be done by a system or network administrator. Verify whether this is known
behavior in your environment. Local user creations by unfamiliar users or hosts should be investigated. If known
behavior is causing false positives, it can be exempted from the rule.
""",
]
index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"]
language = "kuery"
license = "Elastic License v2"
name = "Windows User Account Creation"
risk_score = 21
rule_id = "38e17753-f581-4644-84da-0d60a8318694"
severity = "low"
tags = ["Elastic", "Host", "Windows", "Threat Detection", "Persistence"]
timestamp_override = "event.ingested"
type = "query"
query = '''
event.module:("system" or "security") and winlog.api:"wineventlog" and
(event.code:"4720" or event.action:"added-user-account")
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1136"
name = "Create Account"
reference = "https://attack.mitre.org/techniques/T1136/"
[[rule.threat.technique.subtechnique]]
id = "T1136.001"
name = "Local Account"
reference = "https://attack.mitre.org/techniques/T1136/001/"
[[rule.threat.technique.subtechnique]]
id = "T1136.002"
name = "Domain Account"
reference = "https://attack.mitre.org/techniques/T1136/002/"
[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"
Reference in New Issue View Git Blame Copy Permalink