AD Privileged Users or Groups Reconnaissance

Severity: high
Author: Samir Bousseaden
Source: upstream

Detect priv users or groups recon based on 4661 eventid and known privileged users or groups SIDs

MITRE ATT&CK coverage

Tactic	Techniques
Discovery	`T1087.002` Account Discovery: Domain Account

Event coverage

Provider	Event ID	Title
Security-Auditing	4661	A handle to an object was requested.

Stages and Predicates

Stage 1: `selection`

ObjectType: [SAM_GROUP, SAM_USER]

Stage 2: `selection_object`

or:
ObjectName|endswith: -500
ObjectName|endswith: -502
ObjectName|endswith: -505
ObjectName|endswith: -512
ObjectName|endswith: -519
ObjectName|endswith: -520
ObjectName|endswith: -544
ObjectName|endswith: -551
ObjectName|endswith: -555
ObjectName|contains: admin

Stage 3: `not filter`

SubjectUserName|endswith: '$'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`ObjectName`	ends_with	`-500` corpus 2 (sigma 2) `-502` `-505` `-512` corpus 2 (sigma 2) `-519` `-520` `-544` `-551` `-555`
`ObjectName`	match	`admin`
`ObjectType`	eq	`SAM_GROUP` corpus 2 (sigma 2) `SAM_USER` corpus 2 (sigma 2)
`SubjectUserName`	ends_with	`$` corpus 18 (sigma 14, elastic 4)

Neighbors

Stricter alternatives (narrower than this rule)

The rules below may be useful if you find the current rule is too noisy / lacks specificity.

Reconnaissance Activity [sigma] (adds 3 filters) (first-stage match only; downstream stages may differ)