Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность
Azure-Sentinel/Hunting Queries/SecurityEvent/RIDHijacking.yaml

20 строки
865 B
YAML
Исходник Постоянная ссылка Ответственный История

id: fcdeec10-6948-11ec-90d6-0242ac120003
name: RID Hijacking
description: |
'This query detects all authentication attempts of non administrator accounts that their RID is ending in *-500.
Ref: https://stealthbits.com/blog/rid-hijacking-when-guests-become-admins/'
requiredDataConnectors:
- connectorId: SecurityEvents
dataTypes:
- SecurityEvent
tactics:
- PrivilegeEscalation
relevantTechniques:
- T1078
query: |
// Enter a reference list of default local administrators for your Windows systems
let LocalAdminsList = dynamic (["administrator","admin"]);
SecurityEvent
| where EventID in (4624,4625) and TargetUserSid endswith "-500" and TargetUserName !in (LocalAdminsList)
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by Computer, TargetUserName, TargetUserSid, TargetLogonId, IpAddress, LogonTypeName
Ссылка в новой задаче Показать git blame Копировать постоянную ссылку