Find sigma rule
Attack: Account Discovery: Domain Account
Adversaries may attempt to get a listing of domain accounts. This information can help adversaries determine which domain accounts exist to aid in follow-on behavior such as targeting specific accounts which possess particular privileges.
Commands such as net user /domain
and net group /domain
of the Net utility, dscacheutil -q group
on macOS, and ldapsearch
on Linux can list domain users and groups. PowerShell cmdlets including Get-ADUser
and Get-ADGroupMember
may enumerate members of Active Directory groups.(Citation: CrowdStrike StellarParticle January 2022)
MITRE
Tactic
- discovery
technique
- T1087.002
Test : Enumerate Linked Policies In ADSISearcher Discovery
OS
- windows
Description:
The following Atomic test will utilize ADSISearcher to enumerate organizational unit within Active Directory. Upon successful execution a listing of users will output with their paths in AD. Reference: https://medium.com/@pentesttas/discover-hidden-gpo-s-on-active-directory-using-ps-adsi-a284b6814c81
Executor
powershell
Sigma Rule
-
posh_pm_susp_local_group_reco.yml (id: cef24b90-dddc-4ae1-a09a-8764872f69fc)
-
proc_creation_win_powershell_cmdline_special_characters.yml (id: d7bcd677-645d-4691-a8d4-7a5602b780d1)
-
proc_creation_win_pua_adfind_susp_usage.yml (id: 9a132afa-654e-11eb-ae93-0242ac130002)
-
net_connection_win_powershell_network_connection.yml (id: 1f21ec3f-810d-4b0e-8045-322202e22b4b)