/
windows_account_discovery_for_none_disable_user_account.yml
61 lines (61 loc) · 2.66 KB
/
windows_account_discovery_for_none_disable_user_account.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
name: Windows Account Discovery for None Disable User Account
id: eddbf5ba-b89e-47ca-995e-2d259804e55e
version: 2
date: '2023-12-15'
author: Teoderick Contreras, Splunk
status: production
type: Hunting
data_source:
- Powershell Script Block Logging 4104
description: The following analytic utilizes PowerShell Script Block Logging to identify
the execution of the PowerView PowerShell commandlet Get-NetUser. In the context
of PowerView's Get-NetUser cmdlet as a filter or parameter to query Active Directory
user accounts that are not disabled. The full script block text based on the CISA-23-347A advisory is "Get-NetUser -UACFilter NOT_ACCOUNTDISABLE". Utilize this query to identify potential suspicious activity of user account enumeration.
search: '`powershell` EventCode=4104 ScriptBlockText = "*Get-NetUser*" ScriptBlockText = "*NOT_ACCOUNTDISABLE*" ScriptBlockText = "*-UACFilter*"
| rename Computer as dest, UserID as user
| stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText dest user
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_account_discovery_for_none_disable_user_account_filter`'
how_to_implement: To successfully implement this analytic, you will need to enable
PowerShell Script Block Logging on some or all endpoints. Additional setup here
https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.=
known_false_positives: Administrators may leverage PowerView for legitimate purposes, filter as needed.
references:
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a
- https://powersploit.readthedocs.io/en/stable/Recon/README/
- https://book.hacktricks.xyz/windows-hardening/basic-powershell-for-pentesters/powerview
- https://atomicredteam.io/discovery/T1087.001/
tags:
analytic_story:
- CISA AA23-347A
asset_type: Endpoint
confidence: 50
impact: 30
message: Windows Account Discovery for None Disable User Account using PowerView's Get-NetUser on $dest$.
mitre_attack_id:
- T1087
- T1087.001
observable:
- name: dest
type: Hostname
role:
- Victim
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
risk_score: 15
required_fields:
- _time
- ScriptBlockText
- dest
- EventCode
- user
security_domain: endpoint
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087/powerview_get_netuser_preauthnotrequire/get-netuser-not-require-pwh.log
source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
sourcetype: xmlwineventlog