Local Accounts Discovery

calendar Aug 12, 2024 · attack.discovery attack.t1033 attack.t1087.001  ·
Share on: linkedin copy

Local accounts, System Owner/User discovery using operating systems utilities

Sigma rule (View on GitHub)

 1title: Local Accounts Discovery
 2id: 502b42de-4306-40b4-9596-6f590c81f073
 3status: test
 4description: Local accounts, System Owner/User discovery using operating systems utilities
 5references:
 6    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1033/T1033.md
 7author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community
 8date: 2019-10-21
 9modified: 2023-01-03
10tags:
11    - attack.discovery
12    - attack.t1033
13    - attack.t1087.001
14logsource:
15    category: process_creation
16    product: windows
17detection:
18    selection_other_img:
19        Image|endswith:
20            - '\whoami.exe'
21            - '\quser.exe'
22            - '\qwinsta.exe'
23    selection_other_wmi:
24        Image|endswith: '\wmic.exe'
25        CommandLine|contains|all:
26            - 'useraccount'
27            - 'get'
28    selection_other_cmdkey:
29        Image|endswith: '\cmdkey.exe'
30        CommandLine|contains: ' /l'
31    selection_cmd:
32        Image|endswith: '\cmd.exe'
33        CommandLine|contains|all:
34            - ' /c'
35            - 'dir '
36            - '\Users\'
37    filter_cmd:
38        CommandLine|contains: ' rmdir ' # don't match on 'dir'   "C:\Windows\System32\cmd.exe" /q /c rmdir /s /q "C:\Users\XX\AppData\Local\Microsoft\OneDrive\19.232.1124.0005"
39    selection_net:
40        Image|endswith:
41            - '\net.exe'
42            - '\net1.exe'
43        CommandLine|contains: 'user'
44    filter_net:
45        CommandLine|contains:
46            - '/domain'       # local account discovery only
47            - '/add'          # discovery only
48            - '/delete'       # discovery only
49            - '/active'       # discovery only
50            - '/expires'      # discovery only
51            - '/passwordreq'  # discovery only
52            - '/scriptpath'   # discovery only
53            - '/times'        # discovery only
54            - '/workstations' # discovery only
55    condition: (selection_cmd and not filter_cmd) or (selection_net and not filter_net) or 1 of selection_other_*
56falsepositives:
57    - Legitimate administrator or user enumerates local users for legitimate reason
58level: low

References

Related rules

to-top