Find sigma rule 
Attack: Remote System Discovery
Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used such as Ping or net view using Net.
Adversaries may also analyze data from local host files (ex: C:\Windows\System32\Drivers\etc\hosts or /etc/hosts) or other passive means (such as local Arp cache entries) in order to discover the presence of remote systems in an environment.
Adversaries may also target discovery of network infrastructure as well as leverage Network Device CLI commands on network devices to gather detailed information about systems within a network (e.g. show cdp neighbors, show arp).(Citation: US-CERT-TA18-106A)(Citation: CISA AR21-126A FIVEHANDS May 2021)
MITRE
Tactic
- discovery
technique
- T1018
Test : Enumerate domain computers within Active Directory using DirectorySearcher
OS
- windows
Description:
This test is a Powershell script that enumerates Active Directory to determine computers that are joined to the domain. This test is designed to mimic how SessionGopher can determine the additional systems within a domain, which has been used before by threat actors to aid in lateral movement. Reference: Head Fake: Tackling Disruptive Ransomware Attacks. Upon successful execution, this test will output the names of the computers that reside on the domain to the console window.
Executor
powershell
Sigma Rule
-
proc_creation_win_pua_adfind_susp_usage.yml (id: 9a132afa-654e-11eb-ae93-0242ac130002)
-
posh_ps_directorysearcher.yml (id: 1f6399cf-2c80-4924-ace1-6fcff3393480)