Find sigma rule

Attack: Permission Groups Discovery: Domain Groups

Adversaries may attempt to find domain-level groups and permission settings. The knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as domain administrators.

Commands such as net group /domain of the Net utility, dscacheutil -q group on macOS, and ldapsearch on Linux can list domain-level groups.

MITRE

Tactic

discovery

technique

T1069.002

Test : Enumerate Users Not Requiring Pre Auth (ASRepRoast)

OS

windows

Description:

When successful, accounts that do not require kerberos pre-auth will be returned

Executor

powershell

Sigma Rule

posh_pm_susp_ad_group_reco.yml (id: 815bfc17-7fc6-4908-a55e-2f37b98cedb4)
posh_ps_susp_ad_group_reco.yml (id: 88f0884b-331d-403d-a3a1-b668cf035603)

back

sigma_redcanaryco

Knowing which rule should trigger according to the redcannary test