Find sigma rule

Attack: Account Discovery: Domain Account

Adversaries may attempt to get a listing of domain accounts. This information can help adversaries determine which domain accounts exist to aid in follow-on behavior such as targeting specific accounts which possess particular privileges.

Commands such as net user /domain and net group /domain of the Net utility, dscacheutil -q groupon macOS, and ldapsearch on Linux can list domain users and groups. PowerShell cmdlets including Get-ADUser and Get-ADGroupMember may enumerate members of Active Directory groups.(Citation: CrowdStrike StellarParticle January 2022)

MITRE

Tactic

discovery

technique

T1087.002

Test : Enumerate Linked Policies In ADSISearcher Discovery

OS

windows

Description:

The following Atomic test will utilize ADSISearcher to enumerate organizational unit within Active Directory. Upon successful execution a listing of users will output with their paths in AD. Reference: https://medium.com/@pentesttas/discover-hidden-gpo-s-on-active-directory-using-ps-adsi-a284b6814c81

Executor

powershell

Sigma Rule

posh_pm_susp_local_group_reco.yml (id: cef24b90-dddc-4ae1-a09a-8764872f69fc)
proc_creation_win_powershell_cmdline_special_characters.yml (id: d7bcd677-645d-4691-a8d4-7a5602b780d1)
proc_creation_win_pua_adfind_susp_usage.yml (id: 9a132afa-654e-11eb-ae93-0242ac130002)
net_connection_win_powershell_network_connection.yml (id: 1f21ec3f-810d-4b0e-8045-322202e22b4b)

back

sigma_redcanaryco

Knowing which rule should trigger according to the redcannary test