Find sigma rule
Attack: Account Discovery: Domain Account
Adversaries may attempt to get a listing of domain accounts. This information can help adversaries determine which domain accounts exist to aid in follow-on behavior such as targeting specific accounts which possess particular privileges.
Commands such as net user /domain
and net group /domain
of the Net utility, dscacheutil -q group
on macOS, and ldapsearch
on Linux can list domain users and groups. PowerShell cmdlets including Get-ADUser
and Get-ADGroupMember
may enumerate members of Active Directory groups.(Citation: CrowdStrike StellarParticle January 2022)
MITRE
Tactic
- discovery
technique
- T1087.002
Test : Get-DomainUser with PowerView
OS
- windows
Description:
Utilizing PowerView, run Get-DomainUser to identify the domain users. Upon execution, Users within the domain will be listed.
Executor
powershell
Sigma Rule
-
proc_creation_win_susp_web_request_cmd_and_cmdlets.yml (id: 9fc51a3c-81b3-4fa7-b35f-7c02cf10fd2d)
-
proc_creation_win_powershell_non_interactive_execution.yml (id: f4bbd493-b796-416e-bbf2-121235348529)
-
proc_creation_win_susp_progname.yml (id: efdd8dd5-cee8-4e59-9390-7d4d5e4dd6f6)
-
posh_ps_powerview_malicious_commandlets.yml (id: dcd74b95-3f36-4ed9-9598-0490951643aa)
-
posh_ps_web_request_cmd_and_cmdlets.yml (id: 1139d2e2-84b1-4226-b445-354492eba8ba)
-
posh_ps_malicious_commandlets.yml (id: 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6)
-
posh_ps_susp_keywords.yml (id: 1f49f2ab-26bc-48b3-96cc-dcffbc93eadf)
-
posh_ps_win_api_susp_access.yml (id: 03d83090-8cba-44a0-b02f-0b756a050306)
-
posh_ps_directoryservices_accountmanagement.yml (id: b29a93fb-087c-4b5b-a84d-ee3309e69d08)
-
posh_ps_request_kerberos_ticket.yml (id: a861d835-af37-4930-bcd6-5b178bfb54df)
-
posh_ps_malicious_keywords.yml (id: f62176f3-8128-4faa-bf6c-83261322e5eb)
-
posh_ps_invoke_command_remote.yml (id: 7b836d7f-179c-4ba4-90a7-a7e60afb48e6)
-
net_connection_win_susp_file_sharing_domains_susp_folders.yml (id: e0f8ab85-0ac9-423b-a73a-81b3c7b1aa97)
-
net_connection_win_powershell_network_connection.yml (id: 1f21ec3f-810d-4b0e-8045-322202e22b4b)