Techniques
Sample rules
Windows AD Privileged Object Access Activity
- source: splunk
- technicques:
- T1087
- T1087.002
Description
Windows Active Directory contains numerous objects that grant elevated access to the domain they reside in. These objects should be rarely accessed by normal users or processes. Access attempts to one or more of these objects may be evidence of attacker enumeration of Active Directory.
Detection logic
`wineventlog_security` EventCode=4662 ObjectName IN ( "CN=Account Operators,*", "CN=Administrators,*", "CN=Backup Operators,*", "CN=Cert Publishers,*", "CN=Certificate Service DCOM Access,*", "CN=Domain Admins,*", "CN=Domain Controllers,*", "CN=Enterprise Admins,*", "CN=Enterprise Read-only Domain Controllers,*", "CN=Group Policy Creator Owners,*", "CN=Incoming Forest Trust Builders,*", "CN=Microsoft Exchange Servers,*", "CN=Network Configuration Operators,*", "CN=Power Users,*", "CN=Print Operators,*", "CN=Read-only Domain Controllers,*", "CN=Replicators,*", "CN=Schema Admins,*", "CN=Server Operators,*", "CN=Exchange Trusted Subsystem,*", "CN=Exchange Windows Permission,*", "CN=Organization Management,*")
| rex field=ObjectName "CN\=(?<object_name>[^,]+)"
| stats values(Computer) as dest, values(object_name) as object_name, dc(ObjectName) as object_count, min(_time) as firstTime, max(_time) as lastTime, count by SubjectUserName
| rename SubjectUserName as user
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_ad_privileged_object_access_activity_filter`
Windows AD Abnormal Object Access Activity
- source: splunk
- technicques:
- T1087
- T1087.002
Description
Windows Active Directory contains numerous objects. A statistically significant increase in access to these objects may be evidence of attacker enumeration of Active Directory.
Detection logic
`wineventlog_security` EventCode=4662
| stats min(_time) AS firstTime, max(_time) AS lastTime, dc(ObjectName) AS ObjectName_count, values(ObjectType) AS ObjectType, latest(Computer) AS dest count BY SubjectUserName
| eventstats avg(ObjectName_count) AS average stdev(ObjectName_count) AS standarddev
| eval limit = round((average+(standarddev*3)),0), user = SubjectUserName
| where ObjectName_count > limit
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_ad_abnormal_object_access_activity_filter`