Skip to content

Latest commit

 

History

History
56 lines (49 loc) · 2.32 KB

LocalGroupDiscovery.md

File metadata and controls

56 lines (49 loc) · 2.32 KB
Raw

Local Group Discovery

Query Information

MITRE ATT&CK Technique(s)

Technique ID Title Link
T1069.001 Permission Groups Discovery: Local Groups https://attack.mitre.org/techniques/T1069/001/

Description

Adversaries often execute the net localgroup "adminstrator" command to get information about the local admins on a device, but there might also be other groups that could be intersting. This query can be used as custom detection rule to detect local group discovery events using net.exe or net1.exe. There is a whitelist for departments that are expected to perform this action, but if HR or Sales executes these commands you probably want to know.

Risk

A compromised account performs discovery activities in your environment.

References

Defender XDR

let WhitelistedDepartments = dynamic(["Service Desk", "It Admins"]);
let StartTime = 30d;
DeviceProcessEvents
| where Timestamp > startofday(ago(StartTime))
| where FileName in ("net.exe", "net1.exe")
| where ProcessCommandLine has "localgroup"
| extend GroupName = extract(@'"(.*?)"', 1, ProcessCommandLine)
| join kind=inner (IdentityInfo
    | where Timestamp > ago(30d)
    | summarize arg_max(Timestamp, *) by OnPremSid
    | project Department, OnPremSid)
    on $left.AccountSid == $right.OnPremSid
// Filter whitelisted departments
| where not(Department in (WhitelistedDepartments))
| project-reorder Timestamp, Department, ProcessCommandLine, GroupName

Sentinel

let WhitelistedDepartments = dynamic(["Service Desk", "It Admins"]);
let StartTime = 30d;
DeviceProcessEvents
| where TimeGenerated > startofday(ago(StartTime))
| where FileName in ("net.exe", "net1.exe")
| where ProcessCommandLine has "localgroup"
| extend GroupName = extract(@'"(.*?)"', 1, ProcessCommandLine)
| join kind=inner (IdentityInfo
    | where TimeGenerated > ago(30d)
    | summarize arg_max(TimeGenerated, *) by OnPremSid
    | project Department, OnPremSid)
    on $left.AccountSid == $right.OnPremSid
// Filter whitelisted departments
| where not(Department in (WhitelistedDepartments))
| project-reorder TimeGenerated, Department, ProcessCommandLine, GroupName