LoFP LoFP / if source account name is not an admin then its super suspicious

Techniques

Sample rules

AD Privileged Users or Groups Reconnaissance

Description

Detect priv users or groups recon based on 4661 eventid and known privileged users or groups SIDs

Detection logic

condition: selection and selection_object and not filter
filter:
  SubjectUserName|endswith: $
selection:
  EventID: 4661
  ObjectType:
  - SAM_USER
  - SAM_GROUP
selection_object:
- ObjectName|endswith:
  - '-512'
  - '-502'
  - '-500'
  - '-505'
  - '-519'
  - '-520'
  - '-544'
  - '-551'
  - '-555'
- ObjectName|contains: admin