urlscan.io logo urlscan.io
SecurityTrails logo

www.patrick-bareiss.com Open in urlscan Pro
185.30.32.165  Public Scan

Back to summary
Submitted URL: https://patrick-bareiss.com/detecting-local-user-creation-in-ad-with-sigma/
Effective URL: https://www.patrick-bareiss.com/detecting-local-user-creation-in-ad-with-sigma/
Submission: On July 22 via api from US — Scanned from DE

Form analysis 1 forms found in the DOM

GET https://www.patrick-bareiss.com/

<form role="search" method="get" class="search-form" action="https://www.patrick-bareiss.com/">
  <label>
    <span class="screen-reader-text">Search for:</span>
    <input type="search" class="search-field" placeholder="Search …" value="" name="s">
  </label>
  <input type="submit" class="search-submit" value="Search">
</form>

Text Content

We value your privacy

We use cookies to enhance your browsing experience, serve personalized ads or
content, and analyze our traffic. By clicking "Accept All", you consent to our
use of cookies.

Customize Reject All Accept All
Customize Consent Preferences

We use cookies to help you navigate efficiently and perform certain functions.
You will find detailed information about all cookies under each consent category
below.

The cookies that are categorized as "Necessary" are stored on your browser as
they are essential for enabling the basic functionalities of the site. ... Show
more


NecessaryAlways Active

Necessary cookies are required to enable the basic features of this site, such
as providing secure log-in or adjusting your consent preferences. These cookies
do not store any personally identifiable data.

 * Cookie
   cookieyes-consent
 * Duration
   1 year
 * Description
   CookieYes sets this cookie to remember users' consent preferences so that
   their preferences are respected on their subsequent visits to this site. It
   does not collect or store any personal information of the site visitors.

Functional

Functional cookies help perform certain functionalities like sharing the content
of the website on social media platforms, collecting feedback, and other
third-party features.

No cookies to display.

Analytics


Analytical cookies are used to understand how visitors interact with the
website. These cookies help provide information on metrics such as the number of
visitors, bounce rate, traffic source, etc.

 * Cookie
   _ga_C4G31KMVJR
 * Duration
   2 years
 * Description
   This cookie is installed by Google Analytics.

 * Cookie
   _ga
 * Duration
   2 years
 * Description
   The _ga cookie, installed by Google Analytics, calculates visitor, session
   and campaign data and also keeps track of site usage for the site's analytics
   report. The cookie stores information anonymously and assigns a randomly
   generated number to recognize unique visitors.

 * Cookie
   _gid
 * Duration
   1 day
 * Description
   Installed by Google Analytics, _gid cookie stores information on how visitors
   use a website, while also creating an analytics report of the website's
   performance. Some of the data that are collected include the number of
   visitors, their source, and the pages they visit anonymously.

 * Cookie
   _gat_gtag_UA_249063852_1
 * Duration
   1 minute
 * Description
   Set by Google to distinguish users.

 * Cookie
   __gads
 * Duration
   1 year 24 days
 * Description
   The __gads cookie, set by Google, is stored under DoubleClick domain and
   tracks the number of times users see an advert, measures the success of the
   campaign and calculates its revenue. This cookie can only be read from the
   domain they are set on and will not track any data while browsing through
   other sites.

Performance

Performance cookies are used to understand and analyze the key performance
indexes of the website which helps in delivering a better user experience for
the visitors.

No cookies to display.

Advertisement


Advertisement cookies are used to provide visitors with customized
advertisements based on the pages you visited previously and to analyze the
effectiveness of the ad campaigns.

 * Cookie
   test_cookie
 * Duration
   15 minutes
 * Description
   The test_cookie is set by doubleclick.net and is used to determine if the
   user's browser supports cookies.

Others


Other uncategorized cookies are those that are being analyzed and have not been
classified into a category as yet.

 * Cookie
   __gpi
 * Duration
   1 year 24 days
 * Description
   No description

Reject All Save My Preferences Accept All
Powered by
Loading…
Skip to content


PATRICK BAREISS


IT SECURITY BLOG

 * Blog




IT SECURITY BLOG

Click the button below to start exploring my website
Start exploring


DETECTING LOCAL USER CREATION IN AD WITH SIGMA

April 18, 2019August 12, 2019adminSigma, Splunk, Use Case

In this blog post, I will introduce a new Sigma Use Case detecting local user
creation in an Active Directory (AD) environment. The creation of a new user
creates a Windows Event Log of Type Security with the Event Code 4720. In an AD
environment, only domain controller should create these Windows Event Logs.

By monitoring the Event Log 4720 on non domain controller, we are able to detect
local user creation on windows servers:

title: Detects local user creation
description: Detects local user creation on windows servers, which shouldn't happen in an Active Directory environment. Apply this Sigma Use Case on your windows server logs and not on your DC logs.
tags:
    - attack.privilege_escalation
    - attack.t1078
references:
    - http://www.patrick-bareiss.com/detecting-local-user-creation-in-ad-with-sigma/
author: Patrick Bareiss
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 4720
    condition: selection
fields:
    - EventCode
    - Account_Name
    - Account_Domain
falsepositives:
    - Domain Controller Logs
level: high


In order to test it, we create a local user on a non domain controller:

Subsequently, we run the Sigma Use Case in Splunk and were able to detect the
event:

Thank you for reading.

Sigma, Splunk, Use Case


POST NAVIGATION

Detect C2 Traffic over DNS using Sigma
Sigma2SplunkAlert Tutorial
Search for:


RECENT POSTS

 * Sigma vs. WannaCry
 * Sigma vs. TeslaCyrpt
 * CI/CD in Detection Rule Development
 * Sigma2SplunkAlert Tutorial
 * Detecting Local User Creation in AD with Sigma


CATEGORIES

 * Sigma
 * Splunk
 * Threat Intelligence
 * Uncategorized
 * Use Case
 * Vulnerability Scanning


FOLLOW ME ON TWITTER




FOLLOW ME

 * Twitter
 * LinkedIn


IMPRESSUM

 * Cookie Policy
 * Impressum
 * Privacy Policy

Proudly powered by WordPress | Theme: Rocked by aThemes.