-
Notifications
You must be signed in to change notification settings - Fork 333
/
get_addefaultdomainpasswordpolicy_with_powershell_script_block.yml
62 lines (62 loc) · 2.5 KB
/
get_addefaultdomainpasswordpolicy_with_powershell_script_block.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
name: Get ADDefaultDomainPasswordPolicy with Powershell Script Block
id: 1ff7ccc8-065a-11ec-91e4-acde48001122
version: 2
date: '2022-03-22'
author: Teoderick Contreras, Mauricio Velazco, Splunk
status: production
type: Hunting
description: The following analytic utilizes PowerShell Script Block Logging (EventCode=4104)
to identify the execution of the `Get-ADDefaultDomainPasswordPolicy` commandlet
used to obtain the password policy in a Windows domain. Red Teams and adversaries
alike may use PowerShell to enumerate domain policies for situational awareness
and Active Directory Discovery.
data_source:
- Powershell Script Block Logging 4104
search: '`powershell` EventCode=4104 ScriptBlockText ="*Get-ADDefaultDomainPasswordPolicy*"
| stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText
Computer UserID | rename Computer as dest, UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`
| `get_addefaultdomainpasswordpolicy_with_powershell_script_block_filter`'
how_to_implement: The following Hunting analytic requires PowerShell operational logs
to be imported. Modify the powershell macro as needed to match the sourcetype or
add index. This analytic is specific to 4104, or PowerShell Script Block Logging.
known_false_positives: Administrators or power users may use this command for troubleshooting.
references:
- https://github.com/S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet
- https://attack.mitre.org/techniques/T1201/
- https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-addefaultdomainpasswordpolicy?view=windowsserver2019-ps
tags:
analytic_story:
- Active Directory Discovery
asset_type: Endpoint
confidence: 30
impact: 30
message: Powershell process having commandline "Get-ADDefaultDomainPasswordPolicy" to query domain password policy on $dest$
mitre_attack_id:
- T1201
observable:
- name: dest
type: Hostname
role:
- Victim
- name: user
type: User
role:
- Victim
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
required_fields:
- _time
- EventCode
- Message
- ComputerName
- User
risk_score: 9
security_domain: endpoint
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1201/pwd_policy_discovery/windows-powershell-xml.log
source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
sourcetype: xmlwineventlog