/
disabled_kerberos_pre_authentication_discovery_with_get_aduser.yml
65 lines (65 loc) · 2.7 KB
/
disabled_kerberos_pre_authentication_discovery_with_get_aduser.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
name: Disabled Kerberos Pre-Authentication Discovery With Get-ADUser
id: 114c6bfe-9406-11ec-bcce-acde48001122
version: 2
date: '2023-12-27'
author: Mauricio Velazco, Splunk
status: production
type: TTP
description: The following analytic utilizes PowerShell Script Block Logging (EventCode=4104)
to identify the execution of the `Get-ADUser` commandlet with specific parameters.
`Get-ADUser` is part of the Active Directory PowerShell module used to manage Windows
Active Directory networks. As the name suggests, `Get-ADUser` is used to query for
domain users. With the appropiate parameters, Get-ADUser allows adversaries to discover
domain accounts with Kerberos Pre Authentication disabled.\ Red Teams and adversaries
alike use may abuse Get-ADUSer to enumerate these accounts and attempt to crack
their passwords offline.
data_source:
- Powershell Script Block Logging 4104
search: ' `powershell` EventCode=4104 (ScriptBlockText = "*Get-ADUser*" AND ScriptBlockText="*4194304*")
| stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer
UserID EventCode ScriptBlockText | rename Computer as dest | `security_content_ctime(firstTime)`
| `disabled_kerberos_pre_authentication_discovery_with_get_aduser_filter`'
how_to_implement: To successfully implement this analytic, you will need to enable
PowerShell Script Block Logging on some or all endpoints. Additional setup here
https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.
known_false_positives: Administrators or power users may use search for accounts with
Kerberos Pre Authentication disabled for legitimate purposes.
references:
- https://attack.mitre.org/techniques/T1558/004/
- https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html
- https://stealthbits.com/blog/cracking-active-directory-passwords-with-as-rep-roasting/
tags:
analytic_story:
- CISA AA23-347A
- Active Directory Kerberos Attacks
asset_type: Endpoint
confidence: 90
impact: 60
message: Disabled Kerberos Pre-Authentication Discovery With Get-ADUser from $dest$
mitre_attack_id:
- T1558
- T1558.004
observable:
- name: dest
type: Endpoint
role:
- Victim
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
required_fields:
- _time
- ScriptBlockText
- Opcode
- Computer
- UserID
- EventCode
risk_score: 54
security_domain: endpoint
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1558.004/getaduser/get-aduser-powershell.log
source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
sourcetype: xmlwineventlog