Skip to content

Add Active Directory / Kerberos attack detection rules#6093

Open
einlamye wants to merge 4 commits into
SigmaHQ:masterfrom
einlamye:sigma-pr4-ad-kerberos-detections
Open

Add Active Directory / Kerberos attack detection rules#6093
einlamye wants to merge 4 commits into
SigmaHQ:masterfrom
einlamye:sigma-pr4-ad-kerberos-detections

Conversation

@einlamye

Copy link
Copy Markdown
Contributor

Summary of the Pull Request

Adds detection coverage for several common Active Directory and Kerberos attacks that were not yet covered, primarily via the Windows Security event log. Includes named-CVE techniques (Zerologon CVE-2020-1472, noPac CVE-2021-42278/42287), AD CS ESC1, authentication coercion, NTLM relay of machine accounts, Kerberos DES downgrade, MachineAccountQuota abuse, and Resource-Based Constrained Delegation (RBCD) attribute modification.

Changelog

new: Certificate-Based TGT Request for User Account - Potential ADCS ESC1 Abuse
new: Authentication Coercion via Named Pipe Access by Anonymous Logon
new: Computer Account Created by User Account - Potential MachineAccountQuota Abuse
new: Kerberos DES Encryption Downgrade - Potential Forged Ticket
new: Machine Account sAMAccountName Spoofing - Potential noPac (CVE-2021-42278)
new: NTLM Network Logon by Machine Account - Potential Coerced Relay
new: Resource-Based Constrained Delegation Attribute Modified
new: Domain Controller Machine Account Password Change by Anonymous - Potential Zerologon

Example Log Event

Fixed Issues

SigmaHQ Rule Creation Conventions

  • If your PR adds new rules, please consider following and applying these conventions

@github-actions github-actions Bot added Rules Review Needed The PR requires review Windows Pull request add/update windows related rules labels Jun 29, 2026
einlamye and others added 3 commits July 2, 2026 09:57
Fixes SigmahqTagsTechniquesWithoutTacticsIssue: technique tags require
their full set of mapped tactics.
- t1557.001: add attack.collection (ntlm_relay, coercion_named_pipe)
- t1078.002: add attack.initial-access, attack.persistence, attack.stealth
  (adcs_esc1, nopac)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Review Needed The PR requires review Rules Windows Pull request add/update windows related rules

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant