Find sigma rule
Attack: Account Discovery: Domain Account
Adversaries may attempt to get a listing of domain accounts. This information can help adversaries determine which domain accounts exist to aid in follow-on behavior such as targeting specific accounts which possess particular privileges.
Commands such as net user /domain
and net group /domain
of the Net utility, dscacheutil -q group
on macOS, and ldapsearch
on Linux can list domain users and groups. PowerShell cmdlets including Get-ADUser
and Get-ADGroupMember
may enumerate members of Active Directory groups.(Citation: CrowdStrike StellarParticle January 2022)
MITRE
Tactic
- discovery
technique
- T1087.002
Test : Automated AD Recon (ADRecon)
OS
- windows
Description:
ADRecon extracts and combines information about an AD environement into a report. Upon execution, an Excel file with all of the data will be generated and its path will be displayed.
Executor
powershell
Sigma Rule
- posh_ps_adrecon_execution.yml (id: bf72941a-cba0-41ea-b18c-9aca3925690d)