www.patrick-bareiss.com Open in urlscan Pro
185.30.32.165  Public Scan

Submitted URL: https://patrick-bareiss.com/detecting-local-user-creation-in-ad-with-sigma/
Effective URL: https://www.patrick-bareiss.com/detecting-local-user-creation-in-ad-with-sigma/
Submission: On February 03 via api from US — Scanned from DE

Form analysis 1 forms found in the DOM

GET https://www.patrick-bareiss.com/

<form role="search" method="get" class="search-form" action="https://www.patrick-bareiss.com/">
  <label>
    <span class="screen-reader-text">Search for:</span>
    <input type="search" class="search-field" placeholder="Search …" value="" name="s">
  </label>
  <input type="submit" class="search-submit" value="Search">
</form>

Text Content

Loading…
Skip to content


PATRICK BAREISS


IT SECURITY BLOG

 * Blog




IT SECURITY BLOG

Click the button below to start exploring my website
Start exploring


DETECTING LOCAL USER CREATION IN AD WITH SIGMA

April 18, 2019August 12, 2019adminSigma, Splunk, Use Case

In this blog post, I will introduce a new Sigma Use Case detecting local user
creation in an Active Directory (AD) environment. The creation of a new user
creates a Windows Event Log of Type Security with the Event Code 4720. In an AD
environment, only domain controller should create these Windows Event Logs.

By monitoring the Event Log 4720 on non domain controller, we are able to detect
local user creation on windows servers:

title: Detects local user creation
description: Detects local user creation on windows servers, which shouldn't happen in an Active Directory environment. Apply this Sigma Use Case on your windows server logs and not on your DC logs.
tags:
    - attack.privilege_escalation
    - attack.t1078
references:
    - http://www.patrick-bareiss.com/detecting-local-user-creation-in-ad-with-sigma/
author: Patrick Bareiss
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 4720
    condition: selection
fields:
    - EventCode
    - Account_Name
    - Account_Domain
falsepositives:
    - Domain Controller Logs
level: high


In order to test it, we create a local user on a non domain controller:

Subsequently, we run the Sigma Use Case in Splunk and were able to detect the
event:

Thank you for reading.

Sigma, Splunk, Use Case


POST NAVIGATION

Detect C2 Traffic over DNS using Sigma
Sigma2SplunkAlert Tutorial
Search for:


RECENT POSTS

 * Sigma vs. WannaCry
 * Sigma vs. TeslaCyrpt
 * CI/CD in Detection Rule Development
 * Sigma2SplunkAlert Tutorial
 * Detecting Local User Creation in AD with Sigma


CATEGORIES

 * Sigma
 * Splunk
 * Threat Intelligence
 * Uncategorized
 * Use Case
 * Vulnerability Scanning


FOLLOW ME ON TWITTER


FOLLOW ME

 * Twitter
 * LinkedIn


IMPRESSUM

 * Impressum

Proudly powered by WordPress | Theme: Rocked by aThemes.