Find sigma rule
Attack: Permission Groups Discovery: Domain Groups
Adversaries may attempt to find domain-level groups and permission settings. The knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as domain administrators.
Commands such as net group /domain
of the Net utility, dscacheutil -q group
on macOS, and ldapsearch
on Linux can list domain-level groups.
MITRE
Tactic
- discovery
technique
- T1069.002
Test : Find Local Admins via Group Policy (PowerView)
OS
- windows
Description:
takes a computer and determines who has admin rights over it through GPO enumeration. Upon execution, information about the machine will be displayed.
Executor
powershell
Sigma Rule
-
posh_ps_malicious_keywords.yml (id: f62176f3-8128-4faa-bf6c-83261322e5eb)
-
posh_ps_win_api_susp_access.yml (id: 03d83090-8cba-44a0-b02f-0b756a050306)