curben
/
blog
mirror of https://gitlab.com/curben/blog
1
0
Fork 0
Code Issues Releases Wiki Activity

page(threat-hunting): Account Discovery Using DIR, WHOAMI, and NET

This commit is contained in:
Ming Di Leom 2025-06-01 12:02:01 +00:00
parent 429092e81a
commit 6a39f54934
No known key found for this signature in database
GPG Key ID: 32D3E28E96A695E8
1 changed files with 10 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
source/threat-hunting/index.md
View File

@ -182,6 +182,16 @@ index="aws" sourcetype="aws:cloudtrail" eventSource="sts.amazonaws.com" eventNam
| table Time, region, requestParameters.roleArn, sourceIPAddress, userAgent, userIdentity.invokedBy, userIdentity.type | table Time, region, requestParameters.roleArn, sourceIPAddress, userAgent, userIdentity.invokedBy, userIdentity.type
``` ```
## Account Discovery Using DIR, WHOAMI, and NET
References: [1](https://thedfirreport.com/2025/05/19/another-confluence-bites-the-dust-falling-to-elpaco-team-ransomware/#discovery)
SPL:
```spl
| tstats summariesonly=true allow_old_summaries=true count FROM datamodel=Endpoint.Processes WHERE index="windows" Processes.signature_id=4688 Processes.process_name="cmd.exe" Processes.process IN ("*whoami*", "*dir C:\\Users*", "*net localgroup administrators*") BY index, host, Processes.signature_id, Processes.signature, Processes.process, Processes.user, _time span=1s
| rename Processes.* AS *, signature_id AS EventCode, signature AS EventDescription
```
## Account Lockout in Administrator Groups ## Account Lockout in Administrator Groups
Description: Monitor Administrator, *_admin accounts for lockout. Description: Monitor Administrator, *_admin accounts for lockout.