Find sigma rule

Attack: Permission Groups Discovery: Domain Groups

Adversaries may attempt to find domain-level groups and permission settings. The knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as domain administrators.

Commands such as net group /domain of the Net utility, dscacheutil -q group on macOS, and ldapsearch on Linux can list domain-level groups.

MITRE

Tactic

discovery

technique

T1069.002

Test : Enumerate Active Directory Groups with Get-AdGroup

OS

windows

Description:

The following Atomic test will utilize Get-AdGroup to enumerate groups within Active Directory. Upon successful execution a listing of groups will output with their paths in AD. Reference: https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-adgroup?view=windowsserver2022-ps

Executor

powershell

Sigma Rule

posh_pm_susp_ad_group_reco.yml (id: 815bfc17-7fc6-4908-a55e-2f37b98cedb4)
proc_creation_win_powershell_non_interactive_execution.yml (id: f4bbd493-b796-416e-bbf2-121235348529)
posh_ps_get_adgroup.yml (id: 8c3a6607-b7dc-4f0d-a646-ef38c00b76ee)
net_connection_win_powershell_network_connection.yml (id: 1f21ec3f-810d-4b0e-8045-322202e22b4b)

back

sigma_redcanaryco

Knowing which rule should trigger according to the redcannary test