
Summary
This analytic rule detects the execution of the command-line tool `dsquery.exe`, specifically when it is used with arguments that relate to querying domain groups within a Windows environment. Utilizing Endpoint Detection and Response (EDR) data such as Sysmon Event ID 1 and Windows Event Log Security Event 4688, this rule monitors for the process `dsquery.exe` along with its command-line parameters. The significance of this detection lies in the fact that both security professionals and malicious actors utilize `dsquery.exe` for Active Directory enumeration, which can provide valuable insights into an organization's domain structure. This behavior can be indicative of reconnaissance activities commonly associated with malicious intrusions, where attackers may identify users and groups of interest to facilitate privilege escalation or data exfiltration. As such, detecting its execution helps in early identification of potential threats related to Active Directory security.
Categories
- Windows
- Endpoint
- Identity Management
Data Sources
- Windows Registry
- Process
- Windows Registry
- Application Log
ATT&CK Techniques
- T1069
- T1069.002
Created: 2024-11-13