Did you want to check out some of your detections? This isn’t everything of course but it’s a simple batch file to simulate a range of enumeration techniques used by actors like CONTI or LOCKBIT affiliates/operators:
REM Simulate A human threat actor doing enumeration
REM mRr3b00t - Cyber Education Script
REM Use at own risk
REM Hack 4 Good
REM Run from a command prompt (cmd.exe)
whoami
whoami /groups
nltest /dclist:%USERDOMAIN%
net localgroup administrators
net group /domain "Domain Admins"
net group /domain "Enterprise Admins"
net computers
net accounts
net view /DOMAIN:%USERDOMAIN%
wmic.exe /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayname /Format:List
systeminfo
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"
reg query HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4 /v password
reg query "HKLM\SYSTEM\Current\ControlSet\Services\SNMP"
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"
reg query" HKCU\Software\SimonTatham\PuTTY\Sessions"
type "%AllUsersProfile%Application Data\McAfee\Common Framework\SiteList.xml"
type C:\inetpub\wwwroot\web.config
REM #### This can be slow ####
REM reg query HKLM /f password /t REG_SZ /s
REM reg query HKCU /f password /t REG_SZ /s
The real question here is, would your IT or Security team (SOC) detect this? Do you even have a SOC?
If you saw all of these run on a system would you be suspicious?
Makes you think, does it?
Detection in MDE
Now there’s loads of ways to write this, as basic version is here (but expect false positives as a number of apps call WMIC or NETSH etc.) (this just does process launches, it won’t catch reading the SiteList.xml but you could use DeviceFileEvents for that)
DeviceProcessEvents
| where Timestamp > ago(60m)
| where ProcessCommandLine contains "net localgroup"
or ProcessCommandLine contains "req query"
or ProcessCommandLine contains "req.exe query"
or ProcessCommandLine contains "whoami"
or ProcessCommandLine contains "net user"
or ProcessCommandLine contains "route print"
or ProcessCommandLine contains "ipconfig"
or ProcessCommandLine contains "wmic"
or ProcessCommandLine contains "dcdiag"
or ProcessCommandLine contains "cmdkey"
or ProcessCommandLine contains "reg save"
or ProcessCommandLine contains "reg restore"
or ProcessCommandLine contains "reg group"
or ProcessCommandLine contains "fsutil"
or ProcessCommandLine contains "ntdsutil"
or ProcessCommandLine contains "autorunsc.exe"
or ProcessCommandLine contains "accesschk.exe"
or ProcessCommandLine contains "gpresult.exe"
or ProcessCommandLine contains "icalcs.exe"
or ProcessCommandLine contains "netstat.exe"
or ProcessCommandLine contains "netsh.exe"
or ProcessCommandLine contains "putty.exe"
or ProcessCommandLine contains "systeminfo"
or ProcessCommandLine contains "nltest"
or ProcessCommandLine contains "-RemoveDefinitions -All"
or ProcessCommandLine contains "netsh advfirewall firewall dump"
or ProcessCommandLine contains "reg add"
or ProcessCommandLine contains "reg.exe add"
or ProcessCommandLine contains "-RemoveDefinitions -All"
or ProcessCommandLine contains "wmic service list brief"
or ProcessCommandLine contains "rundll32 keymgr,KRShowKeyMgr"
or ProcessCommandLine contains "netsh wlan show profile"
or ProcessCommandLine contains "password"
or ProcessCommandLine contains "psexec"
or ProcessCommandLine contains "psexec64"
| sort by Timestamp desc