get user security identifier

edit on GitHub
search on VirusTotal

# generated using capa explorer for IDA Pro
rule:
  meta:
    name: get user security identifier
    namespace: host-interaction/session
    authors:
      - michael.hunhoff@mandiant.com
    scopes:
      static: basic block
      dynamic: call
    att&ck:
      - Discovery::Account Discovery [T1087]
    examples:
      - mimikatz.exe_:0x40DC42
  features:
    - or:
      - api: advapi32.LookupAccountName
      - api: advapi32.LsaLookupNames
      - api: advapi32.LsaLookupNames2

last edited: 2023-11-24 10:35:00