www.patrick-bareiss.com
Open in
urlscan Pro
185.30.32.165
Public Scan
Submitted URL: https://patrick-bareiss.com/detecting-local-user-creation-in-ad-with-sigma/
Effective URL: https://www.patrick-bareiss.com/detecting-local-user-creation-in-ad-with-sigma/
Submission: On February 03 via api from US — Scanned from DE
Effective URL: https://www.patrick-bareiss.com/detecting-local-user-creation-in-ad-with-sigma/
Submission: On February 03 via api from US — Scanned from DE
Form analysis
1 forms found in the DOMGET https://www.patrick-bareiss.com/
<form role="search" method="get" class="search-form" action="https://www.patrick-bareiss.com/">
<label>
<span class="screen-reader-text">Search for:</span>
<input type="search" class="search-field" placeholder="Search …" value="" name="s">
</label>
<input type="submit" class="search-submit" value="Search">
</form>
Text Content
Loading… Skip to content PATRICK BAREISS IT SECURITY BLOG * Blog IT SECURITY BLOG Click the button below to start exploring my website Start exploring DETECTING LOCAL USER CREATION IN AD WITH SIGMA April 18, 2019August 12, 2019adminSigma, Splunk, Use Case In this blog post, I will introduce a new Sigma Use Case detecting local user creation in an Active Directory (AD) environment. The creation of a new user creates a Windows Event Log of Type Security with the Event Code 4720. In an AD environment, only domain controller should create these Windows Event Logs. By monitoring the Event Log 4720 on non domain controller, we are able to detect local user creation on windows servers: title: Detects local user creation description: Detects local user creation on windows servers, which shouldn't happen in an Active Directory environment. Apply this Sigma Use Case on your windows server logs and not on your DC logs. tags: - attack.privilege_escalation - attack.t1078 references: - http://www.patrick-bareiss.com/detecting-local-user-creation-in-ad-with-sigma/ author: Patrick Bareiss logsource: product: windows service: security detection: selection: EventID: 4720 condition: selection fields: - EventCode - Account_Name - Account_Domain falsepositives: - Domain Controller Logs level: high In order to test it, we create a local user on a non domain controller: Subsequently, we run the Sigma Use Case in Splunk and were able to detect the event: Thank you for reading. Sigma, Splunk, Use Case POST NAVIGATION Detect C2 Traffic over DNS using Sigma Sigma2SplunkAlert Tutorial Search for: RECENT POSTS * Sigma vs. WannaCry * Sigma vs. TeslaCyrpt * CI/CD in Detection Rule Development * Sigma2SplunkAlert Tutorial * Detecting Local User Creation in AD with Sigma CATEGORIES * Sigma * Splunk * Threat Intelligence * Uncategorized * Use Case * Vulnerability Scanning FOLLOW ME ON TWITTER FOLLOW ME * Twitter * LinkedIn IMPRESSUM * Impressum Proudly powered by WordPress | Theme: Rocked by aThemes.