Techniques
Sample rules
Reconnaissance Activity
- source: sigma
- technicques:
- t1069
- t1069.002
- t1087
- t1087.002
Description
Detects activity as “net user administrator /domain” and “net group domain admins /domain”
Detection logic
condition: selection
selection:
AccessMask: '0x2d'
EventID: 4661
ObjectName|endswith:
- '-500'
- '-512'
ObjectName|startswith: S-1-5-21-
ObjectType:
- SAM_USER
- SAM_GROUP
ADCS Certificate Template Configuration Vulnerability
- source: sigma
- technicques:
Description
Detects certificate creation with template allowing risk permission subject
Detection logic
condition: selection1 or selection2
selection1:
EventID: 4898
TemplateContent|contains: CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT
selection2:
EventID: 4899
NewTemplateContent|contains: CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT
ADCS Certificate Template Configuration Vulnerability with Risky EKU
- source: sigma
- technicques:
Description
Detects certificate creation with template allowing risk permission subject and risky EKU
Detection logic
condition: (selection10 and selection11) or (selection20 and selection21)
selection10:
EventID: 4898
TemplateContent|contains:
- 1.3.6.1.5.5.7.3.2
- 1.3.6.1.5.2.3.4
- 1.3.6.1.4.1.311.20.2.2
- 2.5.29.37.0
selection11:
TemplateContent|contains: CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT
selection20:
EventID: 4899
NewTemplateContent|contains:
- 1.3.6.1.5.5.7.3.2
- 1.3.6.1.5.2.3.4
- 1.3.6.1.4.1.311.20.2.2
- 2.5.29.37.0
selection21:
NewTemplateContent|contains: CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT
Pass the Hash Activity 2
- source: sigma
- technicques:
- t1550
- t1550.002
Description
Detects the attack technique pass the hash which is used to move laterally inside the network
Detection logic
condition: 1 of selection_* and not filter
filter:
TargetUserName: ANONYMOUS LOGON
selection_logon3:
EventID: 4624
KeyLength: 0
LogonProcessName: NtLmSsp
LogonType: 3
SubjectUserSid: S-1-0-0
selection_logon9:
EventID: 4624
LogonProcessName: seclogo
LogonType: 9