get domain information

edit on GitHub
search on VirusTotal

rule:
  meta:
    name: get domain information
    namespace: host-interaction/network/domain
    authors:
      - awillia2@cisco.com
      - anushka.virgaonkar@mandiant.com
      - michael.hunhoff@mandiant.com
    description: Detect collection of Windows domain information
    scopes:
      static: function
      dynamic: call
    att&ck:
      - Discovery::System Network Configuration Discovery [T1016]
    examples:
      - 9B7CCAA2AE6A5B96E3110EBCBC4311F6:0x1001C184
  features:
    - or:
      - api: netapi32.DsRoleGetPrimaryDomainInformation
      - api: System.DirectoryServices.ActiveDirectory.Domain::GetComputerDomain
      - property/read: System.Net.NetworkInformation.IPGlobalProperties::DomainName

last edited: 2023-11-24 10:34:28