Find sigma rule

Attack: Account Discovery: Domain Account

Adversaries may attempt to get a listing of domain accounts. This information can help adversaries determine which domain accounts exist to aid in follow-on behavior such as targeting specific accounts which possess particular privileges.

Commands such as net user /domain and net group /domain of the Net utility, dscacheutil -q groupon macOS, and ldapsearch on Linux can list domain users and groups. PowerShell cmdlets including Get-ADUser and Get-ADGroupMember may enumerate members of Active Directory groups.(Citation: CrowdStrike StellarParticle January 2022)

MITRE

Tactic

discovery

technique

T1087.002

Test : Adfind - Enumerate Active Directory Exchange AD Objects

OS

windows

Description:

Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Exchange Objects reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html

Executor

command_prompt

Sigma Rule

proc_creation_win_pua_adfind_enumeration.yml (id: 455b9d50-15a1-4b99-853f-8d37655a4c1b)

back

sigma_redcanaryco

Knowing which rule should trigger according to the redcannary test