-
Notifications
You must be signed in to change notification settings - Fork 340
/
get_aduser_with_powershell_script_block.yml
69 lines (69 loc) · 2.65 KB
/
get_aduser_with_powershell_script_block.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
name: Get ADUser with PowerShell Script Block
id: 21432e40-04f4-11ec-b7e6-acde48001122
version: 3
date: '2024-05-29'
author: Teoderick Contreras, Mauricio Velazco, Splunk
status: production
type: Hunting
description: The following analytic detects the execution of the `Get-AdUser` PowerShell
cmdlet, which is used to enumerate all domain users. It leverages PowerShell Script
Block Logging (EventCode=4104) to identify instances where this command is executed
with a filter. This activity is significant as it may indicate an attempt by adversaries
or Red Teams to gather information about domain users for situational awareness
and Active Directory discovery. If confirmed malicious, this behavior could lead
to further reconnaissance and potential exploitation of user accounts within the
domain.
data_source:
- Powershell Script Block Logging 4104
search: '`powershell` EventCode=4104 ScriptBlockText = "*get-aduser*" ScriptBlockText
= "*-filter*" | stats count min(_time) as firstTime max(_time) as lastTime by EventCode
ScriptBlockText Computer UserID | rename Computer as dest, UserID as user| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` | `get_aduser_with_powershell_script_block_filter`'
how_to_implement: The following Hunting analytic requires PowerShell operational logs
to be imported. Modify the powershell macro as needed to match the sourcetype or
add index. This analytic is specific to 4104, or PowerShell Script Block Logging.
known_false_positives: Administrators or power users may use this command for troubleshooting.
references:
- https://www.blackhillsinfosec.com/red-blue-purple/
- https://attack.mitre.org/techniques/T1087/002/
- https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-aduser?view=windowsserver2019-ps
tags:
analytic_story:
- Active Directory Discovery
- CISA AA23-347A
asset_type: Endpoint
confidence: 50
impact: 50
message: Powershell process having commandline "get-aduser" for user enumeration
on $dest$
mitre_attack_id:
- T1087.002
- T1087
observable:
- name: dest
type: Hostname
role:
- Victim
- name: user
type: User
role:
- Victim
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
required_fields:
- _time
- EventCode
- Message
- ComputerName
- User
risk_score: 25
security_domain: endpoint
tests:
- name: True Positive Test
attack_data:
- data:
https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.002/AD_discovery/aduser_powershell.log
source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
sourcetype: XmlWinEventLog