Find sigma rule
Attack: Account Discovery: Domain Account
Adversaries may attempt to get a listing of domain accounts. This information can help adversaries determine which domain accounts exist to aid in follow-on behavior such as targeting specific accounts which possess particular privileges.
Commands such as net user /domain
and net group /domain
of the Net utility, dscacheutil -q group
on macOS, and ldapsearch
on Linux can list domain users and groups. PowerShell cmdlets including Get-ADUser
and Get-ADGroupMember
may enumerate members of Active Directory groups.(Citation: CrowdStrike StellarParticle January 2022)
MITRE
Tactic
- discovery
technique
- T1087.002
Test : WinPwn - generaldomaininfo
OS
- windows
Description:
Gathers general domain information using the generaldomaininfo function of WinPwn
Executor
powershell
Sigma Rule
-
posh_pm_susp_local_group_reco.yml (id: cef24b90-dddc-4ae1-a09a-8764872f69fc)
-
proc_creation_win_powershell_non_interactive_execution.yml (id: f4bbd493-b796-416e-bbf2-121235348529)
-
proc_creation_win_powershell_download_iex.yml (id: 85b0b087-eddf-4a2b-b033-d771fa2b9775)
-
proc_creation_win_powershell_download_cradles.yml (id: 6e897651-f157-4d8f-aaeb-df8151488385)
-
proc_creation_win_powershell_susp_download_patterns.yml (id: e6c54d94-498c-4562-a37c-b469d8e9a275)
-
proc_creation_win_powershell_download_patterns.yml (id: 3b6ab547-8ec2-4991-b9d2-2b06702a48d7)
-
proc_creation_win_susp_web_request_cmd_and_cmdlets.yml (id: 9fc51a3c-81b3-4fa7-b35f-7c02cf10fd2d)
-
posh_ps_web_request_cmd_and_cmdlets.yml (id: 1139d2e2-84b1-4226-b445-354492eba8ba)
-
posh_ps_susp_invocation_specific.yml (id: ae7fbf8e-f3cb-49fd-8db4-5f3bed522c71)
-
posh_pm_susp_invocation_specific.yml (id: 8ff28fdd-e2fa-4dfa-aeda-ef3d61c62090)
-
posh_ps_malicious_commandlets.yml (id: 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6)
-
posh_ps_detect_vm_env.yml (id: d93129cd-1ee0-479f-bc03-ca6f129882e3)
-
posh_ps_win_api_susp_access.yml (id: 03d83090-8cba-44a0-b02f-0b756a050306)
-
posh_ps_susp_get_current_user.yml (id: 4096a49c-7de4-4da0-a230-c66ccd56ea5a)
-
posh_ps_susp_download.yml (id: 403c2cc0-7f6b-4925-9423-bfa573bed7eb)
-
posh_ps_susp_keywords.yml (id: 1f49f2ab-26bc-48b3-96cc-dcffbc93eadf)
-
posh_ps_malicious_keywords.yml (id: f62176f3-8128-4faa-bf6c-83261322e5eb)
-
posh_ps_nishang_malicious_commandlets.yml (id: f772cee9-b7c2-4cb2-8f07-49870adc02e0)
-
posh_ps_susp_get_process.yml (id: af4c87ce-bdda-4215-b998-15220772e993)
-
posh_ps_susp_getprocess_lsass.yml (id: 84c174ab-d3ef-481f-9c86-a50d0b8e3edb)
-
file_event_win_powershell_exploit_scripts.yml (id: f331aa1f-8c53-4fc3-b083-cc159bc971cb)
-
posh_ps_automated_collection.yml (id: c1dda054-d638-4c16-afc8-53e007f3fbc5)
-
posh_ps_software_discovery.yml (id: 2650dd1a-eb2a-412d-ac36-83f06c4f2282)
-
posh_ps_localuser.yml (id: 4fdc44df-bfe9-4fcc-b041-68f5a2d3031c)
-
posh_ps_susp_local_group_reco.yml (id: fa6a5a45-3ee2-4529-aa14-ee5edc9e29cb)
-
posh_ps_susp_extracting.yml (id: bd5971a7-626d-46ab-8176-ed643f694f68)
-
posh_ps_dump_password_windows_credential_manager.yml (id: 99c49d9c-34ea-45f7-84a7-4751ae6b2cbc)
-
posh_ps_powerview_malicious_commandlets.yml (id: dcd74b95-3f36-4ed9-9598-0490951643aa)
-
posh_ps_timestomp.yml (id: c6438007-e081-42ce-9483-b067fbef33c3)
-
net_connection_win_susp_file_sharing_domains_susp_folders.yml (id: e0f8ab85-0ac9-423b-a73a-81b3c7b1aa97)
-
net_connection_win_powershell_network_connection.yml (id: 1f21ec3f-810d-4b0e-8045-322202e22b4b)
-
posh_ps_directoryservices_accountmanagement.yml (id: b29a93fb-087c-4b5b-a84d-ee3309e69d08)
-
posh_ps_susp_new_psdrive.yml (id: 1c563233-030e-4a07-af8c-ee0490a66d3a)
-
posh_ps_remove_item_path.yml (id: b8af5f36-1361-4ebe-9e76-e36128d947bf)
-
posh_ps_request_kerberos_ticket.yml (id: a861d835-af37-4930-bcd6-5b178bfb54df)
-
posh_ps_invoke_command_remote.yml (id: 7b836d7f-179c-4ba4-90a7-a7e60afb48e6)
-
posh_pm_bad_opsec_artifacts.yml (id: 8d31a8ce-46b5-4dd6-bdc3-680931f1db86)