Techniques
Sample rules
Suspicious Usage Of Active Directory Diagnostic Tool (ntdsutil.exe)
- source: sigma
- technicques:
- t1003
- t1003.003
Description
Detects execution of ntdsutil.exe to perform different actions such as restoring snapshots…etc.
Detection logic
condition: all of selection_*
selection_cli:
- CommandLine|contains|all:
- snapshot
- 'mount '
- CommandLine|contains|all:
- ac
- ' i'
- ' ntds'
selection_img:
- Image|endswith: \ntdsutil.exe
- OriginalFileName: ntdsutil.exe
PUA - AdFind Suspicious Execution
- source: sigma
- technicques:
- t1018
- t1069
- t1069.002
- t1087
- t1087.002
- t1482
Description
Detects AdFind execution with common flags seen used during attacks
Detection logic
condition: selection
selection:
CommandLine|contains:
- domainlist
- trustdmp
- dcmodes
- adinfo
- ' dclist '
- computer_pwdnotreqd
- objectcategory=
- -subnets -f
- name="Domain Admins"
- '-sc u:'
- domainncs
- dompol
- ' oudmp '
- subnetdmp
- gpodmp
- fspdmp
- users_noexpire
- computers_active
- computers_pwdnotreqd
Modify System Firewall
- source: sigma
- technicques:
- t1562
- t1562.004
Description
Detects the removal of system firewall rules. Adversaries may only delete or modify a specific system firewall rule to bypass controls limiting network usage or access. Detection rules that match only on the disabling of firewalls will miss this.
Detection logic
condition: 1 of selection*
selection1:
a0: iptables
a1|contains: DROP
type: EXECVE
selection2:
a0: firewall-cmd
a1|contains: remove
type: EXECVE
selection3:
a0: ufw
a1|contains: delete
type: EXECVE