System Owner or User Discovery
Adversaries may use the information from System Owner/User Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Sigma rule (View on GitHub)
1title: System Owner or User Discovery
2id: 9a0d8ca0-2385-4020-b6c6-cb6153ca56f3
3status: test
4description: Adversaries may use the information from System Owner/User Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
5references:
6 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1033/T1033.md
7author: Timur Zinniatullin, oscd.community
8date: 2019-10-21
9modified: 2021-11-27
10tags:
11 - attack.discovery
12 - attack.t1033
13logsource:
14 product: linux
15 service: auditd
16detection:
17 selection:
18 type: 'EXECVE'
19 a0:
20 - 'users'
21 - 'w'
22 - 'who'
23 condition: selection
24falsepositives:
25 - Admin activity
26level: low
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More
Related rules
- Cisco Discovery
- Computer Discovery And Export Via Get-ADComputer Cmdlet
- Computer Discovery And Export Via Get-ADComputer Cmdlet - PowerShell
- Enumerate All Information With Whoami.EXE
- Get-ADUser Enumeration Using UserAccountControl Flags