Analytics Story: Windows Discovery Techniques

Description

Monitors for behaviors associated with adversaries discovering objects in the environment that can be leveraged in the progression of the attack.

Why it matters

Attackers may not have much if any insight into their target's environment before the initial compromise. Once a foothold has been established, attackers will start enumerating objects in the environment (accounts, services, network shares, etc.) that can be used to achieve their objectives. This Analytic Story provides searches to help identify activities consistent with adversaries gaining knowledge of compromised Windows environments.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Detect AzureHound Command-Line Arguments Local Groups, Domain Groups, Local Account, Domain Account, Domain Trust Discovery TTP
Detect AzureHound File Modifications Local Groups, Domain Groups, Local Account, Domain Account, Domain Trust Discovery TTP
Detect SharpHound Command-Line Arguments Local Groups, Domain Groups, Local Account, Domain Account, Domain Trust Discovery TTP
Detect SharpHound File Modifications Local Groups, Domain Groups, Local Account, Domain Account, Domain Trust Discovery TTP
Detect SharpHound Usage Local Groups, Domain Groups, Local Account, Domain Account, Domain Trust Discovery TTP
Network Traffic to Active Directory Web Services Protocol Local Groups, Domain Groups, Local Account, Domain Account, Domain Trust Discovery Hunting
System Information Discovery Detection System Information Discovery TTP
Windows Detect Network Scanner Behavior Scanning IP Blocks, Vulnerability Scanning Anomaly
Windows Group Discovery Via Net Local Groups, Domain Groups Hunting
Windows SOAPHound Binary Execution Local Groups, Domain Groups, Local Account, Domain Account, Domain Trust Discovery TTP

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
CrowdStrike ProcessRollup2 N/A crowdstrike:events:sensor crowdstrike
Sysmon EventID 1 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 11 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 3 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 4688 Windows icon Windows xmlwineventlog XmlWinEventLog:Security

References


Source: GitHub | Version: 1