Account Discovery via Built-In Tools¶
Adversaries may use built-in applications to get a listing of local system or domain accounts
id: | 56fdf859-b2a7-4009-88e0-69fec4c3deef |
---|---|
categories: | enrich |
confidence: | low |
os: | windows, macos, linux |
created: | 7/26/2019 |
updated: | 7/26/2019 |
Query¶
process where subtype.create and (
process_name == "net.exe" and wildcard(command_line, "* user*", "*localgroup *", "*group *") or
process_name in ("groups", "id") or
process_name == "dscl" and command_line == "*list /groups*" or
process_name == "dscacheutil" and command_line == "*group*" or
wildcard(command_line, "*/etc/passwd*", "*/etc/master.passwd*")
)