-
Notifications
You must be signed in to change notification settings - Fork 333
/
getlocaluser_with_powershell_script_block.yml
65 lines (65 loc) · 2.58 KB
/
getlocaluser_with_powershell_script_block.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
name: GetLocalUser with PowerShell Script Block
id: 2e891cbe-0426-11ec-9c9c-acde48001122
version: 3
date: '2024-05-13'
author: Mauricio Velazco, Splunk
status: production
type: Hunting
description: The following analytic detects the execution of the `Get-LocalUser` PowerShell
commandlet using PowerShell Script Block Logging (EventCode=4104). This commandlet
lists all local users on a system. The detection leverages script block text from
PowerShell logs to identify this activity. Monitoring this behavior is significant
as adversaries and Red Teams may use it to enumerate local users for situational
awareness and Active Directory discovery. If confirmed malicious, this activity
could lead to further reconnaissance, enabling attackers to identify potential targets
for privilege escalation or lateral movement.
data_source:
- Powershell Script Block Logging 4104
search: '`powershell` EventCode=4104 (ScriptBlockText = "*Get-LocalUser*") | stats
count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText
Computer user_id | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`
| `getlocaluser_with_powershell_script_block_filter`'
how_to_implement: To successfully implement this analytic, you will need to enable
PowerShell Script Block Logging on some or all endpoints. Additional setup here
https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.
known_false_positives: Administrators or power users may use this PowerShell commandlet
for troubleshooting.
references:
- https://attack.mitre.org/techniques/T1087/001/
- https://www.splunk.com/en_us/blog/security/hunting-for-malicious-powershell-using-script-block-logging.html
tags:
analytic_story:
- Active Directory Discovery
- Malicious PowerShell
asset_type: Endpoint
confidence: 50
impact: 30
message: Local user discovery enumeration using PowerShell on $Computer$ by $user$
mitre_attack_id:
- T1087
- T1087.001
- T1059.001
observable:
- name: Computer
type: Endpoint
role:
- Victim
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
required_fields:
- _time
- EventCode
- ScriptBlockText
- Computer
- UserID
risk_score: 15
security_domain: endpoint
tests:
- name: True Positive Test
attack_data:
- data:
https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.001/AD_discovery/windows-powershell-xml.log
source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
sourcetype: xmlwineventlog