system administrator activities

t1486
t1564
t1564.002
t1565
windows
aws
sigma

Techniques

t1486
t1564
t1564.002
t1565

Sample rules

Hiding User Account Via SpecialAccounts Registry Key - CommandLine

source: sigma
technicques:
- t1564
- t1564.002

Description

Detects changes to the registry key “HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist” where the value is set to “0” in order to hide user account from being listed on the logon screen.

Detection logic

condition: selection
selection:
  CommandLine|contains|all:
  - \SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
  - add
  - /v
  - /d 0
  Image|endswith: \reg.exe

AWS EC2 Disable EBS Encryption

source: sigma
technicques:
- t1486
- t1565

Description

Identifies disabling of default Amazon Elastic Block Store (EBS) encryption in the current region. Disabling default encryption does not change the encryption status of your existing volumes.

Detection logic

condition: selection
selection:
  eventName: DisableEbsEncryptionByDefault
  eventSource: ec2.amazonaws.com