Microsoft Net.exe utility can be used to enumerate local and domain users and groups [a must to do for any attacker trying to get answers for who/where/what/etc. to complete the objectives].
Famous detection techniques for users enumeration with the net.exe utility are limited to processes's command line value and process name verification (i.e. process_name:net.exe and/or commandLine:.*net.*users.*). which is a vulnerable/weak detection and can be bypassed by simply renaming the process name or introducing special obfuscation characters in the command line (i.e. ^, set x, environment variables etc.)
In this post we will be using event ID 4661 to detect enumeration attempts of known privileged AD accounts/groups:
- Enterprise Admins
- Domain Admins
- Administrators group
- Administrator
- etc
You will need to enable this event on all your domain controllers (expected target for any domain user enumeration). Note that this method can also detect user enumeration with other utilities/tools.
Detection Logic:
Look for event 4661 with Messgae body containing known AD privileged groups/accounts SID values. Example of IBM Qradar AQL query:
select "SourceUserName", "ObjectType", "ObjectName" from events where "EventID"=4661 and not (SourceUserName IMATCHES '.*\$') and (UTF8(payload) IMATCHES '.*S-1-5-21-.*-(512|502|500|505|519|520|544|551|555).*') last 180 DAYS
References:
https://support.microsoft.com/en-us/help/243330/well-known-security-identifiers-in-windows-operating-systems
https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4661
No comments:
Post a Comment