Find sigma rule
Attack: Account Discovery: Domain Account
Adversaries may attempt to get a listing of domain accounts. This information can help adversaries determine which domain accounts exist to aid in follow-on behavior such as targeting specific accounts which possess particular privileges.
Commands such as net user /domain
and net group /domain
of the Net utility, dscacheutil -q group
on macOS, and ldapsearch
on Linux can list domain users and groups. PowerShell cmdlets including Get-ADUser
and Get-ADGroupMember
may enumerate members of Active Directory groups.(Citation: CrowdStrike StellarParticle January 2022)
MITRE
Tactic
- discovery
technique
- T1087.002
Test : Wevtutil - Discover NTLM Users Remote
OS
- windows
Description:
This test discovers users who have authenticated against a Domain Controller via NTLM. This is done remotely via wmic and captures the event code 4776 from the domain controller and stores the ouput in C:\temp. Reference
Executor
powershell
Sigma Rule
-
proc_creation_win_wmic_susp_process_creation.yml (id: 3c89a1e8-0fba-449e-8f1b-8409d6267ec8)
-
proc_creation_win_powershell_susp_child_processes.yml (id: e4b6d2a7-d8a4-4f19-acbd-943c16d90647)
-
proc_creation_win_wmic_uninstall_application.yml (id: b53317a0-8acf-4fd1-8de8-a5401e776b96)
-
proc_creation_win_wmic_process_creation.yml (id: 526be59f-a573-4eea-b5f7-f0973207634d)
-
proc_creation_win_wmic_remote_execution.yml (id: 7773b877-5abb-4a3e-b9c9-fd0369b59b00)