Loading

Account or Group Discovery via Built-In Tools

Adversaries may use built-in applications to get a listing of local system or domain accounts and groups.

Rule type: new_terms
Rule indices:

  • logs-endpoint.events.*

Rule Severity: low
Risk Score: 21
Runs every: 60m
Searches indices from: now-119m
Maximum alerts per execution: ?
References:

Tags:

  • Domain: Endpoint
  • OS: Linux
  • OS: macOS
  • Use Case: Threat Detection
  • Tactic: Discovery
  • Rule Type: BBR
  • Data Source: Elastic Defend

Version: ?
Rule authors:

  • Elastic

Rule license: Elastic License v2

event.category:process and host.os.type:(linux or macos) and event.action:exec and (
  (process.name:"dscl" and process.args:(/Active*Directory/* or /Users* or /Groups*)) or
  (process.name:"dscacheutil" and process.args:("user" or "group")) or
  (process.name:"getent" and process.args:("passwd" or "group") and process.args_count >= 3)
) and not (
  process.parent.executable:(
    "/usr/lib/ocf/resource.d/cyanconnode/mysql" or /snap/* or "/usr/bin/check_mk_agent" or "/usr/bin/cloudflared" or
    /opt/puppetlabs/* or /var/lib/snapd/* or "/usr/lib/google/guest_agent/core_plugin" or "/opt/rudder/bin/cf-agent" or
    "/opt/NinjaRMMAgent/programfiles/ninjarmm-linagent"
  ) or
  process.working_directory:(
    /var/snap/* or  "/Applications/NinjaRMMAgent/programfiles/ninjarmm-macagent" or "/var/lib/nanitor/agent" or
    "/var/ossec" or /opt/rapid7/* or "/opt/Tanium/TaniumClient"
  )
)

Framework: MITRE ATT&CK