{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/account-discovery/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["M365 Defender","Elastic Defend","Windows"],"_cs_severities":["low"],"_cs_tags":["discovery","account-discovery","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Crowdstrike","Elastic"],"content_html":"\u003cp\u003eAttackers often perform reconnaissance activities within a compromised environment to understand the available resources and potential targets. This reconnaissance helps them plan subsequent actions, such as privilege escalation and lateral movement. This activity involves using built-in Windows utilities like \u003ccode\u003enet.exe\u003c/code\u003e and \u003ccode\u003ewmic.exe\u003c/code\u003e to enumerate administrator-related user accounts and groups. This information can reveal potential targets for credential compromise or other post-exploitation activities. Lower privileged accounts commonly perform this enumeration.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to a Windows system.\u003c/li\u003e\n\u003cli\u003eThe attacker executes \u003ccode\u003enet.exe\u003c/code\u003e with arguments to list users and groups.\u003c/li\u003e\n\u003cli\u003eThe attacker filters the output for administrator-related keywords like \u0026ldquo;admin\u0026rdquo;, \u0026ldquo;Domain Admins\u0026rdquo;, \u0026ldquo;Enterprise Admins\u0026rdquo;, \u0026ldquo;Remote Desktop Users\u0026rdquo;, or \u0026ldquo;Organization Management\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker executes \u003ccode\u003ewmic.exe\u003c/code\u003e to query user accounts.\u003c/li\u003e\n\u003cli\u003eThe attacker parses the output from \u003ccode\u003ewmic.exe\u003c/code\u003e to identify administrator accounts.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies privileged accounts to target for credential theft or privilege escalation.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the identified accounts to perform lateral movement or access sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful enumeration of administrator accounts allows an attacker to identify high-value targets within the environment. This can lead to credential theft, privilege escalation, lateral movement, and ultimately, unauthorized access to sensitive data or systems. While the risk score is low, this activity serves as a precursor to more serious compromises.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor process creation events for \u003ccode\u003enet.exe\u003c/code\u003e and \u003ccode\u003ewmic.exe\u003c/code\u003e commands with arguments related to user and group enumeration using the Sigma rules provided.\u003c/li\u003e\n\u003cli\u003eInvestigate any instances of lower-privileged accounts executing these commands and filter out authorized administrative accounts performing the same actions.\u003c/li\u003e\n\u003cli\u003eEnable Windows process creation logging to capture the necessary events.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules in this brief to your SIEM and tune for your environment.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T17:14:00Z","date_published":"2024-01-03T17:14:00Z","id":"/briefs/2024-01-admin-recon/","summary":"Adversaries may execute the `net.exe` or `wmic.exe` commands to enumerate administrator accounts or groups, both locally and within the domain, to gather information for follow-on actions.","title":"Windows Account Discovery of Administrator Accounts","url":"https://feed.craftedsignal.io/briefs/2024-01-admin-recon/"}],"language":"en","title":"CraftedSignal Threat Feed — Account-Discovery","version":"https://jsonfeed.org/version/1.1"}