Create domain_enumeration_using_netdom.yml

[thegreatmhn]

This Pull Request adds a new detection to identify potential enumeration of Active Directory infrastructure using the netdom.exe utility. It targets specific keywords in the process command-line arguments such as:

QUERY, WORKSTATION, SERVER, DC, OU, PDC, FSMO, and TRUST

These arguments are commonly associated with the discovery of domain topology, trust relationships, and FSMO roles — tactics that are frequently used during internal reconnaissance and lateral movement in enterprise environments.

Details
This PR includes a new correlation search that leverages the Endpoint.Processes data model via tstats. It detects the execution of netdom.exe with arguments indicative of Active Directory enumeration attempts. These can reveal information about the domain structure, trust boundaries, or domain role assignments. This technique is often leveraged by adversaries post-compromise during the discovery or lateral movement stages.

[ljstella]

Hi @thegreatmhn -

Thanks for the contribution! Working through some of the CI errors here: You're currently failing to build because the search doesn't end with a filter macro. The filter macro is based off of the name field in the detection- so in this case, it should be netdom_active_directory_enumeration_filter at the end of the search.

However, once you add the filter macro, you're going to be getting a new error, because the name inside the detection should be derived off of the filename. So, it'll be a matter of either renaming the file to netdom_active_directory_enumeration.yml or changing the name in the detection to Domain Enumeration Using Netdom - either one should work.

[ljstella]

Update: Alright, thanks for taking care of the naming schema stuff- the next failure is related to the rba section being missing. This needs a risk message, a risk object, and can have threat objects, because the Type selected creates both Notables and Risk Events in pre-ES8 environments, and creates Findings (which have risk) in ES8+ environments.

Just about every other detection should have an example if you want to see one, also happy to help explain/walk through any of the fields it requires.

[nasbench]

@thegreatmhn thanks for the contribution. I made some changes to help with the CI errors you are facing. I also reduced the type to an Anomaly as this could an anomalous behavior but not an immediate alert worthy.

There was also a bug with the logic. The "* QUERY *" flag is required from the quick check I did on MSDN. Hence it should be used along with the other params workstation | server | dc | ou | pdc | fsmo | trust

You need to upload your test data to https://github.com/splunk/attack_data - Simply follow any of the examples available there by creating dedicated yaml and log files for the technique you are covering.

As for the fixes here are a couple of things that you might not be aware of but are needed when contributing rules to this repo.

• All rules that are of type production must have test data and drilldowns.
• If a rule is not hunting (aka TTP or Anomaly) it must have an RBA section. Check out this https://github.com/splunk/contentctl/blob/main/docs/RBA_Types.md for more info on the values.

Anyway. Once you upload the test data as mentioned above. We can start the CI tests again and resolve any issues.

[nasbench]

@thegreatmhn ping

[patel-bhavin]

@thegreatmhn : Hello there! Can you please help us with sharing an attack data sample event? This will help us test this detection and get it shipped!