-
Notifications
You must be signed in to change notification settings - Fork 375
/
Copy pathactive_directory_discovery.yml
38 lines (37 loc) · 1.66 KB
/
active_directory_discovery.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
name: Active Directory Discovery
id: 8460679c-2b21-463e-b381-b813417c32f2
version: 1
date: '2021-08-20'
author: Mauricio Velazco, Splunk
description: Monitor for activities and techniques associated with Discovery and Reconnaissance
within with Active Directory environments.
narrative: 'Discovery consists of techniques an adversay uses to gain knowledge about
an internal environment or network. These techniques provide adversaries with situational
awareness and allows them to have the necessary information before deciding how
to act or who/what to target next.
Once an attacker obtains an initial foothold in an Active Directory environment,
she is forced to engage in Discovery techniques in the initial phases of a breach
to better understand and navigate the target network. Some examples include but
are not limited to enumerating domain users, domain admins, computers, domain controllers,
network shares, group policy objects, domain trusts, etc.'
references:
- https://attack.mitre.org/tactics/TA0007/
- https://adsecurity.org/?p=2535
- https://attack.mitre.org/techniques/T1087/001/
- https://attack.mitre.org/techniques/T1087/002/
- https://attack.mitre.org/techniques/T1087/003/
- https://attack.mitre.org/techniques/T1482/
- https://attack.mitre.org/techniques/T1201/
- https://attack.mitre.org/techniques/T1069/001/
- https://attack.mitre.org/techniques/T1069/002/
- https://attack.mitre.org/techniques/T1018/
- https://attack.mitre.org/techniques/T1049/
- https://attack.mitre.org/techniques/T1033/
tags:
category:
- Adversary Tactics
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
usecase: Advanced Threat Detection