Try in Splunk Security Cloud

Description

Monitor for activities and techniques associated with Discovery and Reconnaissance within with Active Directory environments.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • Last Updated: 2021-08-20
  • Author: Mauricio Velazco, Splunk
  • ID: 8460679c-2b21-463e-b381-b813417c32f2

Narrative

Discovery consists of techniques an adversay uses to gain knowledge about an internal environment or network. These techniques provide adversaries with situational awareness and allows them to have the necessary information before deciding how to act or who/what to target next.
Once an attacker obtains an initial foothold in an Active Directory environment, she is forced to engage in Discovery techniques in the initial phases of a breach to better understand and navigate the target network. Some examples include but are not limited to enumerating domain users, domain admins, computers, domain controllers, network shares, group policy objects, domain trusts, etc.

Detections

Name Technique Type
AdsiSearcher Account Discovery Domain Account TTP
DSQuery Domain Discovery Domain Trust Discovery TTP
Domain Account Discovery With Net App Domain Account TTP
Domain Account Discovery with Dsquery Domain Account Hunting
Domain Account Discovery with Wmic Domain Account TTP
Domain Controller Discovery with Nltest Remote System Discovery TTP
Domain Controller Discovery with Wmic Remote System Discovery Hunting
Domain Group Discovery With Dsquery Domain Groups Hunting
Domain Group Discovery With Net Domain Groups Hunting
Domain Group Discovery With Wmic Domain Groups Hunting
Domain Group Discovery with Adsisearcher Domain Groups TTP
Elevated Group Discovery With Net Domain Groups TTP
Elevated Group Discovery With Wmic Domain Groups TTP
Elevated Group Discovery with PowerView Domain Groups Hunting
Get ADDefaultDomainPasswordPolicy with Powershell Password Policy Discovery Hunting
Get ADDefaultDomainPasswordPolicy with Powershell Script Block Password Policy Discovery Hunting
Get ADUser with PowerShell Domain Account Hunting
Get ADUser with PowerShell Script Block Domain Account Hunting
Get ADUserResultantPasswordPolicy with Powershell Password Policy Discovery TTP
Get ADUserResultantPasswordPolicy with Powershell Script Block Password Policy Discovery TTP
Get DomainPolicy with Powershell Password Policy Discovery TTP
Get DomainPolicy with Powershell Script Block Password Policy Discovery TTP
Get DomainUser with PowerShell Domain Account TTP
Get DomainUser with PowerShell Script Block Domain Account TTP
Get WMIObject Group Discovery Local Groups Hunting
Get WMIObject Group Discovery with Script Block Logging Local Groups Hunting
Get-DomainTrust with PowerShell Domain Trust Discovery TTP
Get-DomainTrust with PowerShell Script Block Domain Trust Discovery TTP
Get-ForestTrust with PowerShell Domain Trust Discovery TTP
Get-ForestTrust with PowerShell Script Block Domain Trust Discovery TTP
GetAdComputer with PowerShell Remote System Discovery Hunting
GetAdComputer with PowerShell Script Block Remote System Discovery Hunting
GetAdGroup with PowerShell Domain Groups Hunting
GetAdGroup with PowerShell Script Block Domain Groups Hunting
GetCurrent User with PowerShell System Owner/User Discovery Hunting
GetCurrent User with PowerShell Script Block System Owner/User Discovery Hunting
GetDomainComputer with PowerShell Remote System Discovery TTP
GetDomainComputer with PowerShell Script Block Remote System Discovery TTP
GetDomainController with PowerShell Remote System Discovery Hunting
GetDomainController with PowerShell Script Block Remote System Discovery TTP
GetDomainGroup with PowerShell Domain Groups TTP
GetDomainGroup with PowerShell Script Block Domain Groups TTP
GetLocalUser with PowerShell Local Account Hunting
GetLocalUser with PowerShell Script Block Local Account Hunting
GetNetTcpconnection with PowerShell System Network Connections Discovery Hunting
GetNetTcpconnection with PowerShell Script Block System Network Connections Discovery Hunting
GetWmiObject DS User with PowerShell Domain Account TTP
GetWmiObject DS User with PowerShell Script Block Domain Account TTP
GetWmiObject Ds Computer with PowerShell Remote System Discovery TTP
GetWmiObject Ds Computer with PowerShell Script Block Remote System Discovery TTP
GetWmiObject Ds Group with PowerShell Domain Groups TTP
GetWmiObject Ds Group with PowerShell Script Block Domain Groups TTP
GetWmiObject User Account with PowerShell Local Account Hunting
GetWmiObject User Account with PowerShell Script Block Local Account Hunting
Local Account Discovery With Wmic Local Account Hunting
Local Account Discovery with Net Local Account Hunting
NLTest Domain Trust Discovery Domain Trust Discovery TTP
Net Localgroup Discovery Local Groups Hunting
Network Connection Discovery With Arp System Network Connections Discovery Hunting
Network Connection Discovery With Net System Network Connections Discovery Hunting
Network Connection Discovery With Netstat System Network Connections Discovery Hunting
Password Policy Discovery with Net Password Policy Discovery Hunting
PowerShell Get LocalGroup Discovery Local Groups Hunting
Powershell Get LocalGroup Discovery with Script Block Logging Local Groups Hunting
Remote System Discovery with Adsisearcher Remote System Discovery TTP
Remote System Discovery with Dsquery Remote System Discovery Hunting
Remote System Discovery with Net Remote System Discovery Hunting
Remote System Discovery with Wmic Remote System Discovery TTP
System User Discovery With Query System Owner/User Discovery Hunting
System User Discovery With Whoami System Owner/User Discovery Hunting
User Discovery With Env Vars PowerShell System Owner/User Discovery Hunting
User Discovery With Env Vars PowerShell Script Block System Owner/User Discovery Hunting
Wmic Group Discovery Local Groups Hunting

Reference

source | version: 1