Find sigma rule

Attack: Account Discovery: Domain Account

Adversaries may attempt to get a listing of domain accounts. This information can help adversaries determine which domain accounts exist to aid in follow-on behavior such as targeting specific accounts which possess particular privileges.

Commands such as net user /domain and net group /domain of the Net utility, dscacheutil -q groupon macOS, and ldapsearch on Linux can list domain users and groups. PowerShell cmdlets including Get-ADUser and Get-ADGroupMember may enumerate members of Active Directory groups.(Citation: CrowdStrike StellarParticle January 2022)

MITRE

Tactic

discovery

technique

T1087.002

Test : Enumerate Active Directory for Unconstrained Delegation

OS

windows

Description:

Attackers may attempt to query for computer objects with the UserAccountControl property ‘TRUSTED_FOR_DELEGATION’ (0x80000;524288) set More Information - https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html#when-the-stars-align-unconstrained-delegation-leads-to-rce Prerequisite: AD RSAT PowerShell module is needed and it must run under a domain user

Executor

powershell

Sigma Rule

posh_ps_powerview_malicious_commandlets.yml (id: dcd74b95-3f36-4ed9-9598-0490951643aa)

back

sigma_redcanaryco

Knowing which rule should trigger according to the redcannary test