Account Discovery & Enumeration
Discovery

Execution

Let's run some of the popular enumeration commands on the victim system:
1
net user
2
net user administrator
3
whoami /user
4
whoami /all
5
...
Copied!

Hunting and Observations

Having command line logging can help in identifying a cluster of enumeration commands executed in a relatively short span of time on a compromised host .
For this lab, I exported 8600+ command lines from various processes and wrote a dirty powershell script that ingests those command lines and inspects them for a couple of classic windows enumeration commands that are executed in the span of 2 minutes and spits them out:
hunt.ps1
1
function hunt() {
2
[CmdletBinding()]Param()
3
$commandlines = Import-Csv C:\Users\mantvydas\Downloads\cmd-test.csv
4
$watch = 'whoami|net1 user|hostname|netstat|net localgroup|cmd /c'
5
$matchedCommandlines = $commandlines| where-object { $_."event_data.CommandLine" -match $watch}
6
7
$matchedCommandlines| foreach-Object {
8
[datetime]$eventTime = $_."@timestamp"
9
[datetime]$low = $eventTime.AddSeconds(-60)
10
[datetime]$high = $eventTime.AddSeconds(60)
11
$clusteredCommandlines = $commandlines | Where-Object { [datetime]$_."@timestamp" -ge $low -and [datetime]$_."@timestamp" -le $high -and $_."event_data.CommandLine" -match $watch}
12
13
if ($clusteredCommandlines.length -ge 4) {
14
Write-Verbose "Possible enumeration around time: $low - $high ($eventTime)"
15
$clusteredCommandlines
16
}
17
}
18
}
Copied!
Invoking the script to start the hunt:
1
. \hunt.ps1; hunt -verbose
Copied!
Below are some of the findings which may warrant further investigation of the suspect host:

References

Account Discovery, Technique T1087 - Enterprise | MITRE ATT&CK®
Last modified 2yr ago