Techniques
Sample rules
Local Accounts Discovery
- source: sigma
- technicques:
- t1033
- t1087
- t1087.001
Description
Local accounts, System Owner/User discovery using operating systems utilities
Detection logic
condition: (selection_cmd and not filter_cmd) or (selection_net and not filter_net)
or 1 of selection_other_*
filter_cmd:
CommandLine|contains: ' rmdir '
filter_net:
CommandLine|contains:
- /domain
- /add
- /delete
- /active
- /expires
- /passwordreq
- /scriptpath
- /times
- /workstations
selection_cmd:
CommandLine|contains|all:
- ' /c'
- 'dir '
- \Users\
Image|endswith: \cmd.exe
selection_net:
CommandLine|contains: user
Image|endswith:
- \net.exe
- \net1.exe
selection_other_cmdkey:
CommandLine|contains: ' /l'
Image|endswith: \cmdkey.exe
selection_other_img:
- Image|endswith:
- \whoami.exe
- \quser.exe
- \qwinsta.exe
- OriginalFileName:
- whoami.exe
- quser.exe
- qwinsta.exe
selection_other_wmi:
CommandLine|contains|all:
- useraccount
- get
Image|endswith: \wmic.exe