Query Details

Local Group Discovery

Query

let WhitelistedDepartments = dynamic(["Service Desk", "It Admins"]);
let StartTime = 30d;
DeviceProcessEvents
| where Timestamp > startofday(ago(StartTime))
| where FileName in ("net.exe", "net1.exe")
| where ProcessCommandLine has "localgroup"
| extend GroupName = extract(@'"(.*?)"', 1, ProcessCommandLine)
| join kind=inner (IdentityInfo
    | where Timestamp > ago(30d)
    | summarize arg_max(Timestamp, *) by OnPremSid
    | project Department, OnPremSid)
    on $left.AccountSid == $right.OnPremSid
// Filter whitelisted departments
| where not(Department in (WhitelistedDepartments))
| project-reorder Timestamp, Department, ProcessCommandLine, GroupName

About this query

Explanation

This query is designed to detect suspicious activities related to local group discovery on devices within a network. Here's a simplified explanation:

  1. Purpose: The query aims to identify when certain commands are used to discover local groups on a device, which could indicate unauthorized access or reconnaissance by an attacker.

  2. Technique: It focuses on the MITRE ATT&CK technique T1069.001, which involves discovering permission groups, specifically local groups, on a system.

  3. Command Detection: The query looks for the execution of net.exe or net1.exe with the "localgroup" command. These commands are typically used to list local groups on a device.

  4. Whitelisting: It includes a whitelist of departments (like "Service Desk" and "IT Admins") that are expected to perform such actions. If other departments, such as HR or Sales, execute these commands, it could be suspicious.

  5. Time Frame: The query checks for these activities within the last 30 days.

  6. Data Sources: It uses data from DeviceProcessEvents to find the command executions and IdentityInfo to get information about the user accounts, including their departments.

  7. Output: The query outputs a list of events where non-whitelisted departments executed the local group discovery commands, along with the timestamp, department, command line, and group name involved.

This query can be used as a custom detection rule to alert security teams about potential unauthorized discovery activities in the network.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: October 20, 2024

Tables

DeviceProcessEventsIdentityInfo

Keywords

DevicesDepartmentProcessCommandLineGroupNameIdentityInfoAccountSidTimeGeneratedTimestampFile

Operators

letdynamicagostartofdayinhasextendextractjoinkind=innersummarizearg_maxbyprojecton==notproject-reorder

MITRE Techniques

Actions

GitHub