Find sigma rule

Attack: Account Discovery: Domain Account

Adversaries may attempt to get a listing of domain accounts. This information can help adversaries determine which domain accounts exist to aid in follow-on behavior such as targeting specific accounts which possess particular privileges.

Commands such as net user /domain and net group /domain of the Net utility, dscacheutil -q groupon macOS, and ldapsearch on Linux can list domain users and groups. PowerShell cmdlets including Get-ADUser and Get-ADGroupMember may enumerate members of Active Directory groups.(Citation: CrowdStrike StellarParticle January 2022)

MITRE

Tactic

discovery

technique

T1087.002

Test : Wevtutil - Discover NTLM Users Remote

OS

windows

Description:

This test discovers users who have authenticated against a Domain Controller via NTLM. This is done remotely via wmic and captures the event code 4776 from the domain controller and stores the ouput in C:\temp. Reference

Executor

powershell

Sigma Rule

proc_creation_win_wmic_susp_process_creation.yml (id: 3c89a1e8-0fba-449e-8f1b-8409d6267ec8)
proc_creation_win_powershell_susp_child_processes.yml (id: e4b6d2a7-d8a4-4f19-acbd-943c16d90647)
proc_creation_win_wmic_uninstall_application.yml (id: b53317a0-8acf-4fd1-8de8-a5401e776b96)
proc_creation_win_wmic_process_creation.yml (id: 526be59f-a573-4eea-b5f7-f0973207634d)
proc_creation_win_wmic_remote_execution.yml (id: 7773b877-5abb-4a3e-b9c9-fd0369b59b00)

back

sigma_redcanaryco

Knowing which rule should trigger according to the redcannary test