Find sigma rule

Attack: Permission Groups Discovery: Domain Groups

Adversaries may attempt to find domain-level groups and permission settings. The knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as domain administrators.

Commands such as net group /domain of the Net utility, dscacheutil -q group on macOS, and ldapsearch on Linux can list domain-level groups.

MITRE

Tactic

discovery

technique

T1069.002

Test : Elevated group enumeration using net group (Domain)

OS

windows

Description:

Runs “net group” command including command aliases and loose typing to simulate enumeration/discovery of high value domain groups. This test will display some errors if run on a computer not connected to a domain. Upon execution, domain information will be displayed.

Executor

command_prompt

Sigma Rule

proc_creation_win_net_execution.yml (id: 183e7ea8-ac4b-4c23-9aec-b3dac4e401ac)

back

sigma_redcanaryco

Knowing which rule should trigger according to the redcannary test