LoFP / legitimate use of the utilities by legitimate user for legitimate reason

Techniques

• t1482

Sample rules

Domain Trust Discovery Via Dsquery

• source: sigma
• technicques:
  • t1482

Description

Detects execution of “dsquery.exe” for domain trust discovery

Detection logic

condition: all of selection_*
selection_cli:
  CommandLine|contains: trustedDomain
selection_img:
- Image|endswith: \dsquery.exe
- OriginalFileName: dsquery.exe