« Account Password Reset Remotely Active Directory Discovery using AdExplorer »
Elastic Docs Elastic Security [8.19] Detections and alerts Prebuilt rule reference

Account or Group Discovery via Built-In Tools

edit
IMPORTANT: This documentation is no longer updated. Refer to Elastic's version policy and the latest documentation.

Account or Group Discovery via Built-In Tools

edit

Adversaries may use built-in applications to get a listing of local system or domain accounts and groups.

Rule type: new_terms

Rule indices:

  • logs-endpoint.events.*

Severity: low

Risk score: 21

Runs every: 60m

Searches indices from: now-119m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References: None

Tags:

  • Domain: Endpoint
  • OS: Linux
  • OS: macOS
  • Use Case: Threat Detection
  • Tactic: Discovery
  • Rule Type: BBR
  • Data Source: Elastic Defend

Version: 6

Rule authors:

  • Elastic

Rule license: Elastic License v2

Rule query

edit
event.category:process and host.os.type:(linux or macos) and event.action:exec and (
  (process.name:"dscl" and process.args:(/Active*Directory/* or /Users* or /Groups*)) or
  (process.name:"dscacheutil" and process.args:("user" or "group")) or
  (process.name:"getent" and process.args:("passwd" or "group") and process.args_count >= 3)
) and not (
  process.parent.executable:(
    "/usr/lib/ocf/resource.d/cyanconnode/mysql" or /snap/* or "/usr/bin/check_mk_agent" or "/usr/bin/cloudflared" or
    /opt/puppetlabs/* or /var/lib/snapd/* or "/usr/lib/google/guest_agent/core_plugin" or "/opt/rudder/bin/cf-agent" or
    "/opt/NinjaRMMAgent/programfiles/ninjarmm-linagent"
  ) or
  process.working_directory:(
    /var/snap/* or  "/Applications/NinjaRMMAgent/programfiles/ninjarmm-macagent" or "/var/lib/nanitor/agent" or
    "/var/ossec" or /opt/rapid7/* or "/opt/Tanium/TaniumClient"
  )
)

Framework: MITRE ATT&CKTM

« Account Password Reset Remotely Active Directory Discovery using AdExplorer »