Detection rules › Splunk
Common Active Directory Commands (Sysmon)
Detects the possible execution of specific AD commands on hosts
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Discovery | T1007 System Service Discovery, T1087.002 Account Discovery: Domain Account |
References
Event coverage
| Provider | Event | Title |
|---|---|---|
| Sysmon | Event ID 1 | Process creation |
Rule body yaml
id: '1073.1111'
title: Common Active Directory Commands
description: 'Detects the possible execution of specific AD commands on hosts. Threat
Actor Association: APT29/Nobelium/Cozy Bear, APT41, FIN6, FIN10, Carbanak, CL-STA-0043,
Lapsus$, Lazarus, MuddyWater, Sandworm Team, TA428, Turla, UNC2596, Vice Society,
Volt Typhoon (Bronze Silhouette, Vanguard Panda), Witchetty, Wizard Spider Software
Association: Akira, ALPHV/BlackCat, AvosLocker, Bazarloader, BianLian, Black Basta,
Clop, Conti, Cuba, Havex, IcedID, Insekt, Lockbit, Revil, Ryuk, Snatch, WASTEDLOCKER
Tags: TrendingThreat, Russia, Ukraine'
logic_format: Splunk
logic: '`get_endpoint_data` `get_endpoint_data_sysmon` EventCode=1 (TERM("csvde.exe")
OR TERM("dsacls.exe") OR TERM("dcpromo.exe") OR TERM("dcdiag.exe") OR TERM("dsamain.exe")
OR TERM("dsmgmt.exe") OR TERM("ldifde.exe") OR TERM("ldp.exe") OR TERM("netdom.exe")
OR TERM("nltest.exe") OR TERM("setspn.exe") OR (TERM("net") AND ("/domain" OR TERM("computer")))
OR "whoami /groups") | regex process="csvde.exe|dsacls.exe|dcpromo.exe|dcdiag.exe|dsamain.exe|dsmgmt.exe|ldifde.exe|ldp.exe|netdom.exe|nltest.exe|setspn.exe|net.+(\/domain|computer)|whoami
\/groups" | table _time, host, user, dvc, event_id, host, parent_process parent_process_exec
parent_process_id, process, process_current_directory, process_exec, process_id,
process_hash, process_path, signature_id, tag, user_id | bin span=600s | stats values(*)
as * by _time, host | streamstats c(process) as c_process by host | where c_process>2 '
techniques:
- discovery:account discovery:domain account
- discovery:system service discovery
technique_id:
- T1087.002
- T1007
data_category:
- Windows Sysmon
references:
- https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
Stages and Predicates
Stage 1: search
`get_endpoint_data` `get_endpoint_data_sysmon` EventCode=1 (TERM("csvde.exe") OR TERM("dsacls.exe") OR TERM("dcpromo.exe") OR TERM("dcdiag.exe") OR TERM("dsamain.exe") OR TERM("dsmgmt.exe") OR TERM("ldifde.exe") OR TERM("ldp.exe") OR TERM("netdom.exe") OR TERM("nltest.exe") OR TERM("setspn.exe") OR (TERM("net") AND ("/domain" OR TERM("computer"))) OR "whoami /groups")
Stage 2: regex
| regex process="csvde.exe|dsacls.exe|dcpromo.exe|dcdiag.exe|dsamain.exe|dsmgmt.exe|ldifde.exe|ldp.exe|netdom.exe|nltest.exe|setspn.exe|net.+(\/domain|computer)|whoami \/groups"
Stage 3: table
| table _time, host, user, dvc, event_id, host, parent_process parent_process_exec parent_process_id, process, process_current_directory, process_exec, process_id, process_hash, process_path, signature_id, tag, user_id
Stage 4: bucket
| bin span=600s
Stage 5: stats
| stats values(*) as * by _time, host
Stage 6: streamstats
| streamstats c(process) as c_process by host
Stage 7: where
| where c_process>2
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
Search terms
Bare-string tokens in the SPL search body. Splunk matches each token against _raw (the untyped raw event text) anywhere it appears, not against a specific field. These don't surface in the Indicators table because they aren't predicates on a known field.
| Stage | Term |
|---|---|
| 1 | "csvde.exe" |
| 1 | "dsacls.exe" |
| 1 | "dcpromo.exe" |
| 1 | "dcdiag.exe" |
| 1 | "dsamain.exe" |
| 1 | "dsmgmt.exe" |
| 1 | "ldifde.exe" |
| 1 | "ldp.exe" |
| 1 | "netdom.exe" |
| 1 | "nltest.exe" |
| 1 | "setspn.exe" |
| 1 | "net" |
| 1 | "/domain" |
| 1 | "computer" |
| 1 | "whoami /groups" |