Ad Discovery

Date: 2021-08-24 ID: 1e2c5670-7953-492f-90e2-aa95aa190049 Author: Mauricio Velazco Environment: attack_range Directory: AD_discovery

Description

Simulated test Attack range dataset for AD discovery techniques

ID	Technique	Tactic
T1087.001	Local Account	Discovery

The following datasets were collected during this attack simulation:

Path: /datasets/attack_techniques/T1087.001/AD_discovery/windows-powershell-xml.log
Sourcetype: XmlWinEventLog
Source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational

Path: /datasets/attack_techniques/T1087.001/AD_discovery/windows-sysmon.log
Sourcetype: XmlWinEventLog
Source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

The following detections in our security content repository use this attack data for testing:

Detection Name	Type	Source	MITRE ATT&CK	Analytic Story
GetLocalUser with PowerShell	`Hunting`	Endpoint	T1087.001	Active Directory Discovery
GetWmiObject User Account with PowerShell	`Hunting`	Endpoint	T1087.001	Winter Vivern, Active Directory Discovery, Water Gamayun
Windows User Discovery Via Net	`Hunting`	Endpoint	T1087.001	Active Directory Discovery, Sandworm Tools, Medusa Ransomware
Local Account Discovery With Wmic	`Hunting`	Endpoint	T1087.001	Active Directory Discovery, Scattered Lapsus$ Hunters
GetLocalUser with PowerShell Script Block	`Hunting`	Endpoint	T1059.001, T1087.001	Active Directory Discovery, Malicious PowerShell

Replay attack data with replay.py from Splunk Attack Data.

1python replay.py --dataset /datasets/attack_techniques/T1087.001/AD_discovery/windows-powershell-xml.log --index attack_data

Find more detections and analytics for this attack technique in our security content repository.

Source: GitHub | Version: 1.0