/
windows_find_domain_organizational_units_with_getdomainou.yml
58 lines (58 loc) · 2.54 KB
/
windows_find_domain_organizational_units_with_getdomainou.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
name: Windows Find Domain Organizational Units with GetDomainOU
id: 0ada2f82-b7af-40cc-b1d7-1e5985afcb4e
version: 1
date: '2023-08-31'
author: Gowthamaraj Rajendran, Mauricio Velazco, Splunk
status: production
type: TTP
data_source:
- Powershell Script Block Logging 4104
description: This analytic leverages PowerShell Script Block Logging (EventCode=4104) to detect the execution of the `Get-DomainOU` commandlet. `Get-DomainOU` is a component of PowerView, a PowerShell toolkit designed for Windows domain enumeration. Identifying the use of `Get-DomainOU` is crucial as adversaries and Red Teams might employ it to gain insights into organizational units within Active Directory, potentially aiding in lateral movement or privilege escalation strategies.
search: '`powershell` EventCode=4104 ScriptBlockText = "*Get-DomainOU*"
| stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest, UserID as user
| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`
| `windows_find_domain_organizational_units_with_getdomainou_filter`'
how_to_implement: The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging.
known_false_positives: Administrators may leverage PowerSploit tools for legitimate reasons, filter as needed.
references:
- https://powersploit.readthedocs.io/en/latest/Recon/Get-DomainOU/
- https://attack.mitre.org/techniques/T1087/002/
- https://book.hacktricks.xyz/windows-hardening/basic-powershell-for-pentesters/powerview
tags:
analytic_story:
- Active Directory Discovery
asset_type: Endpoint
confidence: 50
impact: 50
message: Suspicious PowerShell Get-DomainOU was identified on endpoint $dest$
by user $user$.
mitre_attack_id:
- T1087
- T1087.002
observable:
- name: dest
type: Hostname
role:
- Victim
- name: user
type: User
role:
- Victim
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
required_fields:
- _time
- EventCode
- Message
- Computer
- UserID
risk_score: 25
security_domain: endpoint
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.002/AD_discovery/windows-powershell-DomainOU-xml.log
source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
sourcetype: xmlwineventlog