Find sigma rule

Attack: Permission Groups Discovery: Domain Groups

Adversaries may attempt to find domain-level groups and permission settings. The knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as domain administrators.

Commands such as net group /domain of the Net utility, dscacheutil -q group on macOS, and ldapsearch on Linux can list domain-level groups.

MITRE

Tactic

discovery

technique

T1069.002

Test : Enumerate Active Directory Groups with ADSISearcher

OS

windows

Description:

The following Atomic test will utilize ADSISearcher to enumerate groups within Active Directory. Upon successful execution a listing of groups will output with their paths in AD. Reference: https://devblogs.microsoft.com/scripting/use-the-powershell-adsisearcher-type-accelerator-to-search-active-directory/

Executor

powershell

Sigma Rule

proc_creation_win_pua_adfind_susp_usage.yml (id: 9a132afa-654e-11eb-ae93-0242ac130002)

back

sigma_redcanaryco

Knowing which rule should trigger according to the redcannary test