Find sigma rule
Attack: Permission Groups Discovery: Domain Groups
Adversaries may attempt to find domain-level groups and permission settings. The knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as domain administrators.
Commands such as net group /domain
of the Net utility, dscacheutil -q group
on macOS, and ldapsearch
on Linux can list domain-level groups.
MITRE
Tactic
- discovery
technique
- T1069.002
Test : Get-ADUser Enumeration using UserAccountControl flags (AS-REP Roasting)
OS
- windows
Description:
When successful, accounts that do not require kerberos pre-auth will be returned. Reference: https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html
Executor
powershell
Sigma Rule
-
posh_pm_susp_ad_group_reco.yml (id: 815bfc17-7fc6-4908-a55e-2f37b98cedb4)
-
proc_creation_win_powershell_non_interactive_execution.yml (id: f4bbd493-b796-416e-bbf2-121235348529)
-
posh_ps_as_rep_roasting.yml (id: 96c982fe-3d08-4df4-bed2-eb14e02f21c8)
-
net_connection_win_powershell_network_connection.yml (id: 1f21ec3f-810d-4b0e-8045-322202e22b4b)