attack.t1087.002

Malicious PowerShell Commandlets - PoshModule

Mar 4, 2025 · attack.execution attack.discovery attack.t1482 attack.t1087 attack.t1087.001 attack.t1087.002 attack.t1069.001 attack.t1069.002 attack.t1069 attack.t1059.001 ·

Share on:

Detects Commandlet names from well-known PowerShell exploitation frameworks

Malicious PowerShell Commandlets - ProcessCreation

Mar 4, 2025 · attack.execution attack.discovery attack.t1482 attack.t1087 attack.t1087.001 attack.t1087.002 attack.t1069.001 attack.t1069.002 attack.t1069 attack.t1059.001 ·

Share on:

Detects Commandlet names from well-known PowerShell exploitation frameworks

Renamed AdFind Execution

Nov 25, 2024 · attack.discovery attack.t1018 attack.t1087.002 attack.t1482 attack.t1069.002 ·

Share on:

Detects the use of a renamed Adfind.exe. AdFind continues to be seen across majority of breaches. It is used to domain trust discovery to plan out subsequent steps in the attack chain.

Potential Active Directory Reconnaissance/Enumeration Via LDAP

Aug 27, 2024 · attack.discovery attack.t1069.002 attack.t1087.002 attack.t1482 ·

Share on:

Detects potential Active Directory enumeration via LDAP

Active Directory Computers Enumeration With Get-AdComputer

Aug 12, 2024 · attack.discovery attack.t1018 attack.t1087.002 ·

Share on:

Detects usage of the "Get-AdComputer" to enumerate Computers or properties within Active Directory.

Active Directory Structure Export Via Csvde.EXE

Aug 12, 2024 · attack.exfiltration attack.discovery attack.t1087.002 ·

Share on:

Detects the execution of "csvde.exe" in order to export organizational Active Directory structure.

AD Privileged Users or Groups Reconnaissance

Aug 12, 2024 · attack.discovery attack.t1087.002 ·

Share on:

Detect priv users or groups recon based on 4661 eventid and known privileged users or groups SIDs

BloodHound Collection Files

Aug 12, 2024 · attack.discovery attack.t1087.001 attack.t1087.002 attack.t1482 attack.t1069.001 attack.t1069.002 attack.execution attack.t1059.001 ·

Share on:

Detects default file names outputted by the BloodHound collection tool SharpHound

HackTool - Bloodhound/Sharphound Execution

Aug 12, 2024 · attack.discovery attack.t1087.001 attack.t1087.002 attack.t1482 attack.t1069.001 attack.t1069.002 attack.execution attack.t1059.001 ·

Share on:

Detects command line parameters used by Bloodhound and Sharphound hack tools

Malicious PowerShell Commandlets - ScriptBlock

Aug 12, 2024 · attack.execution attack.discovery attack.t1482 attack.t1087 attack.t1087.001 attack.t1087.002 attack.t1069.001 attack.t1069.002 attack.t1069 attack.t1059.001 ·

Share on:

Detects Commandlet names from well-known PowerShell exploitation frameworks

Potential AD User Enumeration From Non-Machine Account

Aug 12, 2024 · attack.discovery attack.t1087.002 ·

Share on:

Detects read access to a domain user from a non-machine account

PUA - AdFind Suspicious Execution

Aug 12, 2024 · attack.discovery attack.t1018 attack.t1087.002 attack.t1482 attack.t1069.002 stp.1u ·

Share on:

Detects AdFind execution with common flags seen used during attacks

PUA - Suspicious ActiveDirectory Enumeration Via AdFind.EXE

Aug 12, 2024 · attack.discovery attack.t1087.002 ·

Share on:

Detects active directory enumeration activity using known AdFind CLI flags

Reconnaissance Activity

Aug 12, 2024 · attack.discovery attack.t1087.002 attack.t1069.002 attack.s0039 ·

Share on:

Detects activity as "net user administrator /domain" and "net group domain admins /domain"

Suspicious Group And Account Reconnaissance Activity Using Net.EXE

Aug 12, 2024 · attack.discovery attack.t1087.001 attack.t1087.002 ·

Share on:

Detects suspicious reconnaissance command line activity on Windows systems using Net.EXE Check if the user that executed the commands is suspicious (e.g. service accounts, LOCAL_SYSTEM)

Suspicious Use of PsLogList

Aug 12, 2024 · attack.discovery attack.t1087 attack.t1087.001 attack.t1087.002 ·

Share on:

Detects usage of the PsLogList utility to dump event log in order to extract admin accounts and perform account discovery or delete events logs

AdFind Discovery

Aug 2, 2024 · attack.discovery attack.t1018 attack.t1482 attack.t1069.002 attack.t1087.002 attack.s0552 ·

Share on:

AdFind has been seen in numerous intrusions. The threat actor(s) ran these commands.

WMI Reconnaissance

Mar 26, 2024 · attack.execution attack.t1047 attack.discovery attack.t1087 attack.t1087.002 ·

Share on:

Reconnaissance is harder to detect because it looks very similar to normal admin behavior. Even so, we detect a relatively high volume of adversaries leveraging WMI to quickly gather domain information such as users, groups, or computers in the domain. The following may help you detect related activity. Part of the RedCanary 2024 Threat Detection Report.

Domain User Enumeration Network Recon 01

Oct 18, 2023 · attack.discovery attack.t1087.002 attack.t1082 ·

Share on:

Domain user and group enumeration via network reconnaissance. Seen in APT 29 and other common tactics and actors. Detects a set of RPC (remote procedure calls) used to enumerate a domain controller. The rule was created based off the datasets and hackathon from https://github.com/OTRF/detection-hackathon-apt29

Enumeration via the Global Catalog

Apr 21, 2023 · attack.discovery attack.t1087.002 ·

Share on:

Detects enumeration of the global catalog (that can be performed using BloodHound or others AD reconnaissance tools). Adjust Threshold according to domain width.