Find sigma rule

Attack: Permission Groups Discovery: Domain Groups

Adversaries may attempt to find domain-level groups and permission settings. The knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as domain administrators.

Commands such as net group /domain of the Net utility, dscacheutil -q group on macOS, and ldapsearch on Linux can list domain-level groups.

MITRE

Tactic

discovery

technique

T1069.002

Test : Active Directory Enumeration with LDIFDE

OS

windows

Description:

Output information from Active Directory to a specified file. Ldifde is a CLI tool for creating, modifying and deleting directory objects. The test is derived from the CISA Report on Voly Typhoon. Reference: https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF

Executor

command_prompt

Sigma Rule

proc_creation_win_ldifde_export.yml (id: 4f7a6757-ff79-46db-9687-66501a02d9ec)

back

sigma_redcanaryco

Knowing which rule should trigger according to the redcannary test