-
Notifications
You must be signed in to change notification settings - Fork 333
/
getdomaincontroller_with_powershell_script_block.yml
62 lines (62 loc) · 2.47 KB
/
getdomaincontroller_with_powershell_script_block.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
name: GetDomainController with PowerShell Script Block
id: 676b600a-a94d-4951-b346-11329431e6c1
version: 3
date: '2024-05-13'
author: Mauricio Velazco, Splunk
status: production
type: TTP
description: The following analytic detects the execution of the `Get-DomainController`
commandlet using PowerShell Script Block Logging (EventCode=4104). This commandlet
is part of PowerView, a tool often used for domain enumeration. The detection leverages
script block text to identify this specific activity. Monitoring this behavior is
crucial as it may indicate an adversary or Red Team performing reconnaissance to
map out domain controllers. If confirmed malicious, this activity could lead to
further domain enumeration, potentially exposing sensitive information and aiding
in lateral movement within the network.
data_source:
- Powershell Script Block Logging 4104
search: '`powershell` EventCode=4104 (ScriptBlockText = "*Get-DomainController*")
| stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer
UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `getdomaincontroller_with_powershell_script_block_filter`'
how_to_implement: To successfully implement this analytic, you will need to enable
PowerShell Script Block Logging on some or all endpoints. Additional setup here
https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.
known_false_positives: Administrators or power users may use this PowerShell commandlet
for troubleshooting.
references:
- https://attack.mitre.org/techniques/T1018/
- https://powersploit.readthedocs.io/en/latest/Recon/Get-DomainController/
tags:
analytic_story:
- Active Directory Discovery
asset_type: Endpoint
confidence: 80
impact: 30
message: Remote system discovery with PowerView on $Computer$ by $UserID$
mitre_attack_id:
- T1018
observable:
- name: Computer
type: Endpoint
role:
- Victim
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
required_fields:
- _time
- ScriptBlockText
- Opcode
- Computer
- UserID
- EventCode
risk_score: 24
security_domain: endpoint
tests:
- name: True Positive Test
attack_data:
- data:
https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/getdc.log
source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
sourcetype: xmlwineventlog