Domain User Enumeration Network Recon 01

calendar Oct 18, 2023 · attack.discovery attack.t1087.002 attack.t1082  ·
Share on: linkedin copy

Domain user and group enumeration via network reconnaissance. Seen in APT 29 and other common tactics and actors. Detects a set of RPC (remote procedure calls) used to enumerate a domain controller. The rule was created based off the datasets and hackathon from https://github.com/OTRF/detection-hackathon-apt29

Sigma rule (View on GitHub)

 1title: Domain User Enumeration Network Recon 01
 2id: 66a0bdc6-ee04-441a-9125-99d2eb547942
 3status: unsupported
 4description: |
 5    Domain user and group enumeration via network reconnaissance.
 6    Seen in APT 29 and other common tactics and actors. Detects a set of RPC (remote procedure calls) used to enumerate a domain controller.
 7    The rule was created based off the datasets and hackathon from https://github.com/OTRF/detection-hackathon-apt29    
 8references:
 9    - https://github.com/OTRF/detection-hackathon-apt29
10    - https://github.com/OTRF/detection-hackathon-apt29/issues/37
11author: 'Nate Guagenti (@neu5ron), Open Threat Research (OTR)'
12date: 2020/05/03
13modified: 2023/03/24
14tags:
15    - attack.discovery
16    - attack.t1087.002
17    - attack.t1082
18logsource:
19    product: zeek
20    service: dce_rpc
21detection:
22    selection:
23        operation:
24            #- LsarEnumerateTrustedDomains #potentially too many FPs, removing. caused by netlogon
25            #- SamrEnumerateDomainsInSamServer #potentially too many FPs, removing. #method obtains a listing of all domains hosted by the server side of this protocol. This value is a cookie that the server can use to continue an enumeration on a subsequent call
26            - LsarLookupNames3 #method translates a batch of security principal names to their SID form
27            - LsarLookupSids3 #translates a batch of security principal SIDs to their name forms
28            - SamrGetGroupsForUser #obtains a listing of groups that a user is a member of
29            - SamrLookupIdsInDomain #method translates a set of RIDs into account names
30            - SamrLookupNamesInDomain #method translates a set of account names into a set of RIDs
31            - SamrQuerySecurityObject #method queries the access control on a server, domain, user, group, or alias object
32            - SamrQueryInformationGroup #obtains attributes from a group object
33    timeframe: 30s
34    condition: selection | count(operation) by src_ip > 4
35falsepositives:
36    - Devices that may do authentication like a VPN or a firewall that looksup IPs to username
37    - False positives depend on scripts and administrative tools used in the monitored environment
38level: medium

References

Related rules

to-top