Techniques
Sample rules
Potential AD User Enumeration From Non-Machine Account
- source: sigma
- technicques:
- t1087
- t1087.002
Description
Detects read access to a domain user from a non-machine account
Detection logic
condition: selection and not 1 of filter_main_*
filter_main_machine_accounts:
SubjectUserName|endswith: $
filter_main_msql:
SubjectUserName|startswith: MSOL_
selection:
AccessMask|endswith:
- 1?
- 3?
- 4?
- 7?
- 9?
- B?
- D?
- F?
EventID: 4662
ObjectType|contains: bf967aba-0de6-11d0-a285-00aa003049e2