Potential AD User Enumeration From Non-Machine Account

Severity: medium
Author: Maxime Thiebaut (@0xThiebaut)
Source: upstream

Detects read access to a domain user from a non-machine account

MITRE ATT&CK coverage

Tactic	Techniques
Discovery	`T1087.002` Account Discovery: Domain Account

Event coverage

Provider	Event ID	Title
Security-Auditing	4662	An operation was performed on an object.

Stages and Predicates

Stage 1: `selection`

or:
AccessMask|endswith: '1?'
AccessMask|endswith: '3?'
AccessMask|endswith: '4?'
AccessMask|endswith: '7?'
AccessMask|endswith: '9?'
AccessMask|endswith: 'B?'
AccessMask|endswith: 'D?'
AccessMask|endswith: 'F?'
ObjectType|contains: 'bf967aba-0de6-11d0-a285-00aa003049e2'

Stage 2: `not 1 of filter_main_*`

or:
SubjectUserName|endswith: '$'
SubjectUserName|startswith: MSOL_

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`AccessMask`	ends_with	`1?` `3?` `4?` `7?` `9?` `B?` `D?` `F?`
`ObjectType`	match	`bf967aba-0de6-11d0-a285-00aa003049e2`
`SubjectUserName`	ends_with	`$` corpus 18 (sigma 14, elastic 4)
`SubjectUserName`	starts_with	`MSOL_` corpus 3 (sigma 3)