Update and rename win_system_owner_user_discovery.yml to win_local_system_owner_account_discovery.yml

rules/windows/process_creation/win_local_system_owner_account_discovery.yml

@@ -0,0 +1,60 @@
+title: Local accounts discovery
+status: experimental
+description: Local accounts, System Owner/User discovery using operating systems utilities 
+author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community
+date: 2019/10/21
+modified: 2019/11/04
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.yaml
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_1:
+      - Image: '*\whoami.exe'
+      - Image: '*\wmic.exe'
+        CommandLine|contains|all:
+            - 'useraccount'
+            - 'get'
+      - Image: 
+            - '*\quser.exe'
+            - '*\qwinsta.exe'
+      - Image: '*\cmdkey.exe'
+        CommandLine|contains: '/list'
+      - Image: '*\cmd.exe'
+        CommandLine|contains|all: 
+            - '/c'
+            - 'dir'
+            - '\Users\'
+    selection_2:
+        Image:
+            - '*\net.exe'
+            - '*\net1.exe'
+        CommandLine|contains: 'user'
+    filter:
+        CommandLine|contains:
+            - '/domain'       # local account discovery only
+            - '/add'          # discovery only
+            - '/delete'       # discovery only
+            - '/active'       # discovery only
+            - '/expires'      # discovery only
+            - '/passwordreq'  # discovery only
+            - '/scriptpath'   # discovery only
+            - '/times'        # discovery only
+            - '/workstations' # discovery only
+    condition: selection_1 or ( selection_2 and not filter )
+fields:
+    - Image
+    - CommandLine
+    - User
+    - LogonGuid
+    - Hashes
+    - ParentProcessGuid
+    - ParentCommandLine
+falsepositives:
+     - Legitimate administrator or user enumerates local users for legitimate reason
+level: low
+tags:
+    - attack.discovery
+    - attack.t1033
+    - attack.t1087

rules/windows/process_creation/win_system_owner_user_discovery.yml

@@ -1,30 +0,0 @@
-title: System Owner/User Discovery
-status: experimental
-description: Adversaries may use the information from System Owner/User Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
-author: Timur Zinniatullin, oscd.community
-references:
-    - https://attack.mitre.org/techniques/T1033/
-    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.yaml
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        CommandLine:
-            - '*cmd.exe*/c*whoami*'
-            - '*wmic*useraccount*get*'
-            - '*quser*'
-            - '*qwinsta*'
-    condition: selection
-fields:
-    - Image
-    - CommandLine
-    - User
-    - LogonGuid
-    - Hashes
-    - ParentProcessGuid
-    - ParentCommandLine
-level: low
-tags:
-    - attack.discovery
-    - attack.t1033