Sigma rules for CVE-2017-2649
19 rules · scoped to cve · back to CVE-2017-2649
Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.
title: Active Directory Replication from Non Machine Account
id: 17d619c1-e020-4347-957e-1d1207455c93
status: test
description: Detects potential abuse of Active Directory Replication Service (ADRS) from a non machine account to request credentials.
references:
- https://threathunterplaybook.com/hunts/windows/180815-ADObjectAccessReplication/notebook.html
- https://threathunterplaybook.com/library/windows/active_directory_replication.html
- https://threathunterplaybook.com/hunts/windows/190101-ADModDirectoryReplication/notebook.html
author: Roberto Rodriguez @Cyb3rWard0g
date: 2019-07-26
modified: 2021-11-27
tags:
- attack.credential-access
- attack.t1003.006
logsource:
product: windows
service: security
detection:
selection:
EventID: 4662
AccessMask: '0x100'
Properties|contains:
- '1131f6aa-9c07-11d1-f79f-00c04fc2dcd2'
- '1131f6ad-9c07-11d1-f79f-00c04fc2dcd2'
- '89e95b76-444d-4c62-991a-0facbeda640c'
filter:
- SubjectUserName|endswith: '$'
- SubjectUserName|startswith: 'MSOL_' # https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/reference-connect-accounts-permissions#ad-ds-connector-account
condition: selection and not filter
falsepositives:
- Unknown
level: critical
title: Suspicious Active Directory Database Snapshot Via ADExplorer
id: ef61af62-bc74-4f58-b49b-626448227652
related:
- id: 9212f354-7775-4e28-9c9f-8f0a4544e664
type: derived
status: test
description: Detects the execution of Sysinternals ADExplorer with the "-snapshot" flag in order to save a local copy of the active directory database to a suspicious directory. This can be used by attackers to extract data for Bloodhound, usernames for password spraying or use the meta data for social engineering. The snapshot doesn't contain password hashes but there have been cases, where administrators put passwords in the comment field.
references:
- https://www.documentcloud.org/documents/5743766-Global-Threat-Report-2019.html
- https://learn.microsoft.com/de-de/sysinternals/downloads/adexplorer
- https://github.com/c3c/ADExplorerSnapshot.py/tree/f700904defac330802bbfedd1d8ffd9248f4ee24
- https://www.packetlabs.net/posts/scattered-spider-is-a-young-ransomware-gang-exploiting-large-corporations/
- https://www.nccgroup.com/us/research-blog/lapsus-recent-techniques-tactics-and-procedures/
- https://trustedsec.com/blog/adexplorer-on-engagements
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-03-14
modified: 2025-07-09
tags:
- attack.discovery
- attack.t1087.002
- attack.t1069.002
- attack.t1482
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\ADExp.exe'
- '\ADExplorer.exe'
- '\ADExplorer64.exe'
- '\ADExplorer64a.exe'
- OriginalFileName: 'AdExp'
- Description: 'Active Directory Editor'
- Product: 'Sysinternals ADExplorer'
selection_flag:
CommandLine|contains: 'snapshot'
selection_paths:
CommandLine|contains:
# TODO: Add more suspicious paths
- '\Downloads\'
- '\Users\Public\'
- '\AppData\'
- '\Windows\Temp\'
condition: all of selection_*
falsepositives:
- Unknown
level: high
title: Active Directory User Backdoors
id: 300bac00-e041-4ee2-9c36-e262656a6ecc
status: test
description: Detects scenarios where one can control another users or computers account without having to use their credentials.
references:
- https://msdn.microsoft.com/en-us/library/cc220234.aspx
- https://adsecurity.org/?p=3466
- https://blog.harmj0y.net/redteaming/another-word-on-delegation/
author: '@neu5ron'
date: 2017-04-13
modified: 2024-02-26
tags:
- attack.privilege-escalation
- attack.t1098
- attack.persistence
logsource:
product: windows
service: security
definition: 'Requirements: Audit Policy : Account Management > Audit User Account Management, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Account Management\Audit User Account Management, DS Access > Audit Directory Service Changes, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\DS Access\Audit Directory Service Changes'
detection:
selection1:
EventID: 4738
filter_empty:
AllowedToDelegateTo:
- ''
- '-'
filter_null:
AllowedToDelegateTo: null
selection_5136_1:
EventID: 5136
AttributeLDAPDisplayName: 'msDS-AllowedToDelegateTo'
selection_5136_2:
EventID: 5136
ObjectClass: 'user'
AttributeLDAPDisplayName: 'servicePrincipalName'
selection_5136_3:
EventID: 5136
AttributeLDAPDisplayName: 'msDS-AllowedToActOnBehalfOfOtherIdentity'
condition: (selection1 and not 1 of filter_*) or 1 of selection_5136_*
falsepositives:
- Unknown
level: high
title: Azure Active Directory Hybrid Health AD FS New Server
id: 288a39fc-4914-4831-9ada-270e9dc12cb4
status: test
description: |
This detection uses azureactivity logs (Administrative category) to identify the creation or update of a server instance in an Azure AD Hybrid health AD FS service.
A threat actor can create a new AD Health ADFS service and create a fake server instance to spoof AD FS signing logs. There is no need to compromise an on-prem AD FS server.
This can be done programmatically via HTTP requests to Azure.
references:
- https://o365blog.com/post/hybridhealthagent/
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC
date: 2021-08-26
modified: 2023-10-11
tags:
- attack.defense-impairment
- attack.t1578
logsource:
product: azure
service: activitylogs
detection:
selection:
CategoryValue: 'Administrative'
ResourceProviderValue: 'Microsoft.ADHybridHealthService'
ResourceId|contains: 'AdFederationService'
OperationNameValue: 'Microsoft.ADHybridHealthService/services/servicemembers/action'
condition: selection
falsepositives:
- Legitimate AD FS servers added to an AAD Health AD FS service instance
level: medium
title: Azure Active Directory Hybrid Health AD FS Service Delete
id: 48739819-8230-4ee3-a8ea-e0289d1fb0ff
status: test
description: |
This detection uses azureactivity logs (Administrative category) to identify the deletion of an Azure AD Hybrid health AD FS service instance in a tenant.
A threat actor can create a new AD Health ADFS service and create a fake server to spoof AD FS signing logs.
The health AD FS service can then be deleted after it is not longer needed via HTTP requests to Azure.
references:
- https://o365blog.com/post/hybridhealthagent/
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC
date: 2021-08-26
modified: 2023-10-11
tags:
- attack.defense-impairment
- attack.t1578.003
logsource:
product: azure
service: activitylogs
detection:
selection:
CategoryValue: 'Administrative'
ResourceProviderValue: 'Microsoft.ADHybridHealthService'
ResourceId|contains: 'AdFederationService'
OperationNameValue: 'Microsoft.ADHybridHealthService/services/delete'
condition: selection
falsepositives:
- Legitimate AAD Health AD FS service instances being deleted in a tenant
level: medium
title: Potential Active Directory Enumeration Using AD Module - PsModule
id: 74176142-4684-4d8a-8b0a-713257e7df8e
related:
- id: 70bc5215-526f-4477-963c-a47a5c9ebd12
type: similar
- id: 9e620995-f2d8-4630-8430-4afd89f77604
type: similar
status: test
description: Detects usage of the "Import-Module" cmdlet to load the "Microsoft.ActiveDirectory.Management.dl" DLL. Which is often used by attackers to perform AD enumeration.
references:
- https://github.com/samratashok/ADModule
- https://twitter.com/cyb3rops/status/1617108657166061568?s=20
- https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-enumeration-with-ad-module-without-rsat-or-admin-privileges
author: Nasreddine Bencherchali (Nextron Systems), frack113
date: 2023-01-22
tags:
- attack.reconnaissance
- attack.discovery
- attack.impact
logsource:
product: windows
category: ps_module
definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
detection:
selection_cmdlet:
Payload|contains:
- 'Import-Module '
- 'ipmo '
selection_dll:
Payload|contains: 'Microsoft.ActiveDirectory.Management.dll'
condition: all of selection_*
falsepositives:
- Legitimate use of the library for administrative activity
level: medium
title: Potential Active Directory Enumeration Using AD Module - PsScript
id: 9e620995-f2d8-4630-8430-4afd89f77604
related:
- id: 70bc5215-526f-4477-963c-a47a5c9ebd12
type: similar
- id: 74176142-4684-4d8a-8b0a-713257e7df8e
type: similar
status: test
description: Detects usage of the "Import-Module" cmdlet to load the "Microsoft.ActiveDirectory.Management.dl" DLL. Which is often used by attackers to perform AD enumeration.
references:
- https://github.com/samratashok/ADModule
- https://twitter.com/cyb3rops/status/1617108657166061568?s=20
- https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-enumeration-with-ad-module-without-rsat-or-admin-privileges
author: frack113, Nasreddine Bencherchali
date: 2023-01-22
tags:
- attack.reconnaissance
- attack.discovery
- attack.impact
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enable'
detection:
selection_generic:
ScriptBlockText|contains|all:
- 'Import-Module '
- 'Microsoft.ActiveDirectory.Management.dll'
selection_specific:
ScriptBlockText|contains: 'ipmo Microsoft.ActiveDirectory.Management.dll'
condition: 1 of selection_*
falsepositives:
- Legitimate use of the library for administrative activity
level: medium
title: Uncommon Connection to Active Directory Web Services
id: b3ad3c0f-c949-47a1-a30e-b0491ccae876
status: test
description: |
Detects uncommon network connections to the Active Directory Web Services (ADWS) from processes not typically associated with ADWS management.
references:
- https://medium.com/falconforce/soaphound-tool-to-collect-active-directory-data-via-adws-165aca78288c
- https://github.com/FalconForceTeam/FalconFriday/blob/a9219dfcfd89836f34660223f47d766982bdce46/Discovery/ADWS_Connection_from_Unexpected_Binary-Win.md
author: '@kostastsale'
date: 2024-01-26
tags:
- attack.discovery
- attack.t1087
logsource:
category: network_connection
product: windows
detection:
selection:
Initiated: true
DestinationPort: 9389
filter_main_dsac:
Image: 'C:\Windows\system32\dsac.exe'
filter_main_ms_monitoring_agent:
Image: 'C:\Program Files\Microsoft Monitoring Agent\'
filter_main_powershell:
Image|startswith:
- 'C:\Program Files\PowerShell\7\pwsh.exe'
- 'C:\Program Files\PowerShell\7-preview\pwsh.ex'
- 'C:\Windows\System32\WindowsPowerShell\'
- 'C:\Windows\SysWOW64\WindowsPowerShell\'
condition: selection and not 1 of filter_main_*
falsepositives:
- ADWS is used by a number of legitimate applications that need to interact with Active Directory. These applications should be added to the allow-listing to avoid false positives.
level: medium
title: Active Directory Database Snapshot Via ADExplorer
id: 9212f354-7775-4e28-9c9f-8f0a4544e664
related:
- id: ef61af62-bc74-4f58-b49b-626448227652
type: derived
status: test
description: Detects the execution of Sysinternals ADExplorer with the "-snapshot" flag in order to save a local copy of the active directory database. This can be used by attackers to extract data for Bloodhound, usernames for password spraying or use the meta data for social engineering. The snapshot doesn't contain password hashes but there have been cases, where administrators put passwords in the comment field.
references:
- https://www.documentcloud.org/documents/5743766-Global-Threat-Report-2019.html
- https://learn.microsoft.com/de-de/sysinternals/downloads/adexplorer
- https://github.com/c3c/ADExplorerSnapshot.py/tree/f700904defac330802bbfedd1d8ffd9248f4ee24
- https://www.packetlabs.net/posts/scattered-spider-is-a-young-ransomware-gang-exploiting-large-corporations/
- https://www.nccgroup.com/us/research-blog/lapsus-recent-techniques-tactics-and-procedures/
- https://trustedsec.com/blog/adexplorer-on-engagements
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-03-14
modified: 2025-07-09
tags:
- attack.discovery
- attack.t1087.002
- attack.t1069.002
- attack.t1482
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\ADExp.exe'
- '\ADExplorer.exe'
- '\ADExplorer64.exe'
- '\ADExplorer64a.exe'
- OriginalFileName: 'AdExp'
- Description: 'Active Directory Editor'
- Product: 'Sysinternals ADExplorer'
selection_cli:
CommandLine|contains: 'snapshot'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
title: Suspicious Usage Of Active Directory Diagnostic Tool (ntdsutil.exe)
id: a58353df-af43-4753-bad0-cd83ef35eef5
related:
- id: 2afafd61-6aae-4df4-baed-139fa1f4c345
type: derived
status: test
description: Detects execution of ntdsutil.exe to perform different actions such as restoring snapshots...etc.
references:
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731620(v=ws.11)
- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-09-14
tags:
- attack.credential-access
- attack.t1003.003
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\ntdsutil.exe'
- OriginalFileName: 'ntdsutil.exe'
selection_cli:
- CommandLine|contains|all:
- 'snapshot'
- 'mount ' # mounts a specific snapshot - Ex: ntdsutil snapshot "mount c2b3e2c6-1ffb-4625-ba8e-3503c27a9fcb" quit quit
- CommandLine|contains|all:
# This offers more coverage to the "selection_oneliner_1" case in rule 8bc64091-6875-4881-aaf9-7bd25b5dda08
# The shorest form of "activate" can "ac". But "act", "acti"...etc are also valid forms
# Same case with the "instance" flag
- 'ac'
- ' i'
- ' ntds'
condition: all of selection_*
falsepositives:
- Legitimate usage to restore snapshots
- Legitimate admin activity
level: medium
title: Invocation of Active Directory Diagnostic Tool (ntdsutil.exe)
id: 2afafd61-6aae-4df4-baed-139fa1f4c345
status: test
description: Detects execution of ntdsutil.exe, which can be used for various attacks against the NTDS database (NTDS.DIT)
references:
- https://jpcertcc.github.io/ToolAnalysisResultSheet/details/ntdsutil.htm
author: Thomas Patzke
date: 2019-01-16
modified: 2022-03-11
tags:
- attack.credential-access
- attack.t1003.003
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\ntdsutil.exe'
condition: selection
falsepositives:
- NTDS maintenance
level: medium
title: Active Directory Structure Export Via Csvde.EXE
id: e5d36acd-acb4-4c6f-a13f-9eb203d50099
status: test
description: Detects the execution of "csvde.exe" in order to export organizational Active Directory structure.
references:
- https://www.cybereason.com/blog/research/operation-ghostshell-novel-rat-targets-global-aerospace-and-telecoms-firms
- https://web.archive.org/web/20180725233601/https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
- https://businessinsights.bitdefender.com/deep-dive-into-a-backdoordiplomacy-attack-a-study-of-an-attackers-toolkit
- https://redcanary.com/blog/msix-installers/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-03-14
tags:
- attack.exfiltration
- attack.discovery
- attack.t1087.002
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\csvde.exe'
- OriginalFileName: 'csvde.exe'
selection_remote:
CommandLine|contains: ' -f'
filter_import:
CommandLine|contains: ' -i'
condition: all of selection_* and not 1 of filter_*
falsepositives:
- Unknown
level: medium
title: Active Directory Structure Export Via Ldifde.EXE
id: 4f7a6757-ff79-46db-9687-66501a02d9ec
status: test
description: Detects the execution of "ldifde.exe" in order to export organizational Active Directory structure.
references:
- https://businessinsights.bitdefender.com/deep-dive-into-a-backdoordiplomacy-attack-a-study-of-an-attackers-toolkit
- https://www.documentcloud.org/documents/5743766-Global-Threat-Report-2019.html
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11)
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-03-14
tags:
- attack.exfiltration
logsource:
category: process_creation
product: windows
detection:
selection_ldif:
- Image|endswith: '\ldifde.exe'
- OriginalFileName: 'ldifde.exe'
selection_cmd:
CommandLine|contains: '-f'
filter_import:
CommandLine|contains: ' -i'
condition: all of selection_* and not 1 of filter_*
falsepositives:
- Unknown
level: medium
title: Potential Active Directory Enumeration Using AD Module - ProcCreation
id: 70bc5215-526f-4477-963c-a47a5c9ebd12
related:
- id: 9e620995-f2d8-4630-8430-4afd89f77604
type: similar
- id: 74176142-4684-4d8a-8b0a-713257e7df8e
type: similar
status: test
description: Detects usage of the "Import-Module" cmdlet to load the "Microsoft.ActiveDirectory.Management.dl" DLL. Which is often used by attackers to perform AD enumeration.
references:
- https://github.com/samratashok/ADModule
- https://twitter.com/cyb3rops/status/1617108657166061568?s=20
- https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-enumeration-with-ad-module-without-rsat-or-admin-privileges
author: frack113
date: 2023-01-22
tags:
- attack.reconnaissance
- attack.discovery
- attack.impact
logsource:
product: windows
category: process_creation
detection:
selection_img:
- Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
- OriginalFileName:
- 'PowerShell.EXE'
- 'pwsh.dll'
selection_cmdlet:
CommandLine|contains:
- 'Import-Module '
- 'ipmo '
selection_dll:
CommandLine|contains: 'Microsoft.ActiveDirectory.Management.dll'
condition: all of selection_*
falsepositives:
- Legitimate use of the library for administrative activity
level: medium
title: Potential Active Directory Reconnaissance/Enumeration Via LDAP
id: 31d68132-4038-47c7-8f8e-635a39a7c174
status: test
description: Detects potential Active Directory enumeration via LDAP
references:
- https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/hunting-for-reconnaissance-activities-using-ldap-search-filters/ba-p/824726
- https://github.com/PowerShellMafia/PowerSploit/blob/d943001a7defb5e0d1657085a77a0e78609be58f/Recon/PowerView.ps1
- https://github.com/BloodHoundAD/SharpHound3/blob/7d96b991b1887ff50349ce59c80980bc0d95c86a/SharpHound3/LdapBuilder.cs
- https://medium.com/falconforce/falconfriday-detecting-active-directory-data-collection-0xff21-c22d1a57494c
- https://github.com/fox-it/BloodHound.py/blob/d65eb614831cd30f26028ccb072f5e77ca287e0b/bloodhound/ad/domain.py#L427
- https://ipurple.team/2024/07/15/sharphound-detection/
author: Adeem Mawani
date: 2021-06-22
modified: 2025-07-04
tags:
- attack.discovery
- attack.t1069.002
- attack.t1087.002
- attack.t1482
logsource:
product: windows
service: ldap
definition: 'Requirements: Microsoft-Windows-LDAP-Client/Debug ETW logging'
detection:
generic_search:
EventID: 30
SearchFilter|contains:
- '(groupType:1.2.840.113556.1.4.803:=2147483648)'
- '(groupType:1.2.840.113556.1.4.803:=2147483656)'
- '(groupType:1.2.840.113556.1.4.803:=2147483652)'
- '(groupType:1.2.840.113556.1.4.803:=2147483650)'
- '(sAMAccountType=805306369)'
- '(sAMAccountType=805306368)'
- '(sAMAccountType=536870913)'
- '(sAMAccountType=536870912)'
- '(sAMAccountType=268435457)'
- '(sAMAccountType=268435456)'
- '(objectCategory=groupPolicyContainer)'
- '(objectCategory=organizationalUnit)'
# - '(objectCategory=Computer)' Prone to false positives
- '(objectCategory=nTDSDSA)'
- '(objectCategory=server)'
- '(objectCategory=domain)'
- '(objectCategory=person)'
- '(objectCategory=group)'
- '(objectCategory=user)'
- '(objectClass=trustedDomain)'
- '(objectClass=computer)'
- '(objectClass=server)'
- '(objectClass=group)'
- '(objectClass=user)'
- '(primaryGroupID=521)'
- '(primaryGroupID=516)'
- '(primaryGroupID=515)'
- '(primaryGroupID=512)'
- 'Domain Admins'
- 'objectGUID=\*'
- '(schemaIDGUID=\*)'
- 'admincount=1'
distinguished_name_enumeration:
EventID: 30
SearchFilter: '(objectclass=\*)'
DistinguishedName|contains:
- 'CN=Domain Admins'
- 'CN=Enterprise Admins'
- 'CN=Group Policy Creator Owners'
suspicious_flag:
EventID: 30
SearchFilter|contains:
- '(userAccountControl:1.2.840.113556.1.4.803:=4194304)'
- '(userAccountControl:1.2.840.113556.1.4.803:=2097152)'
- '!(userAccountControl:1.2.840.113556.1.4.803:=1048574)'
- '(userAccountControl:1.2.840.113556.1.4.803:=524288)'
- '(userAccountControl:1.2.840.113556.1.4.803:=65536)'
- '(userAccountControl:1.2.840.113556.1.4.803:=8192)'
- '(userAccountControl:1.2.840.113556.1.4.803:=544)'
- '!(UserAccountControl:1.2.840.113556.1.4.803:=2)'
- 'msDS-AllowedToActOnBehalfOfOtherIdentity'
- 'msDS-AllowedToDelegateTo'
- 'msDS-GroupManagedServiceAccount'
- '(accountExpires=9223372036854775807)'
- '(accountExpires=0)'
- '(adminCount=1)'
- 'ms-MCS-AdmPwd'
narrow_down_filter:
EventID: 30
SearchFilter|contains:
- '(domainSid=*)'
- '(objectSid=*)'
condition: (generic_search and not narrow_down_filter) or suspicious_flag or distinguished_name_enumeration
level: medium
title: Addition of SID History to Active Directory Object
id: 2632954e-db1c-49cb-9936-67d1ef1d17d2
status: stable
description: An attacker can use the SID history attribute to gain additional privileges.
references:
- https://adsecurity.org/?p=1772
author: Thomas Patzke, @atc_project (improvements)
date: 2017-02-19
tags:
- attack.persistence
- attack.privilege-escalation
- attack.stealth
- attack.t1134.005
logsource:
product: windows
service: security
detection:
selection1:
EventID:
- 4765
- 4766
selection2:
EventID: 4738
selection3:
SidHistory:
- '-'
- '%%1793'
filter_null:
SidHistory:
condition: selection1 or (selection2 and not selection3 and not filter_null)
falsepositives:
- Migration of an account into a new domain
level: medium
title: Active Directory Computers Enumeration With Get-AdComputer
id: 36bed6b2-e9a0-4fff-beeb-413a92b86138
status: test
description: Detects usage of the "Get-AdComputer" to enumerate Computers or properties within Active Directory.
references:
- https://learn.microsoft.com/en-us/powershell/module/activedirectory/get-adcomputer
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md
- https://github.com/redcanaryco/atomic-red-team/blob/02cb591f75064ffe1e0df9ac3ed5972a2e491c97/atomics/T1087.002/T1087.002.md
author: frack113
date: 2022-03-17
modified: 2023-07-08
tags:
- attack.discovery
- attack.t1018
- attack.t1087.002
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection_cmdlet:
ScriptBlockText|contains: 'Get-AdComputer '
selection_option:
ScriptBlockText|contains:
- '-Filter '
- '-LDAPFilter '
- '-Properties '
condition: all of selection_*
falsepositives:
- Unknown
level: low
title: Active Directory Group Enumeration With Get-AdGroup
id: 8c3a6607-b7dc-4f0d-a646-ef38c00b76ee
status: test
description: Detects usage of the "Get-AdGroup" cmdlet to enumerate Groups within Active Directory
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md
author: frack113
date: 2022-03-17
modified: 2022-11-17
tags:
- attack.discovery
- attack.t1069.002
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains|all:
- 'Get-AdGroup '
- '-Filter'
condition: selection
falsepositives:
- Unknown
level: low
title: Active Directory Certificate Services Denied Certificate Enrollment Request
id: 994bfd6d-0a2e-481e-a861-934069fcf5f5
status: test
description: |
Detects denied requests by Active Directory Certificate Services.
Example of these requests denial include issues with permissions on the certificate template or invalid signatures.
references:
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd299871(v=ws.10)
- https://www.gradenegger.eu/en/details-of-the-event-with-id-53-of-the-source-microsoft-windows-certificationauthority/
author: '@SerkinValery'
date: 2024-03-07
tags:
- attack.credential-access
- attack.defense-impairment
- attack.t1553.004
logsource:
product: windows
service: system
detection:
selection:
Provider_Name: 'Microsoft-Windows-CertificationAuthority'
EventID: 53
condition: selection
falsepositives:
- Unknown
level: low