/
windows_find_interesting_acl_with_findinterestingdomainacl.yml
57 lines (57 loc) · 2.7 KB
/
windows_find_interesting_acl_with_findinterestingdomainacl.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
name: Windows Find Interesting ACL with FindInterestingDomainAcl
id: e4a96dfd-667a-4487-b942-ccef5a1e81e8
version: 1
date: '2023-08-31'
author: Gowthamaraj Rajendran, Mauricio Velazco, Splunk
status: production
type: TTP
data_source:
- Powershell Script Block Logging 4104
description: This analytic leverages PowerShell Script Block Logging (EventCode=4104) to detect the execution of the `Find-InterestingDomainAcl` commandlet. `Find-InterestingDomainAcl` is part of PowerView, a PowerShell toolkit designed for Windows domain enumeration. Detecting the use of `Find-InterestingDomainAcl` is crucial as adversaries and Red Teams might employ it to identify unusual or misconfigured Access Control Lists (ACLs) within the domain. Such ACLs can provide attackers with insights into potential privilege escalation opportunities or weak security postures within Active Directory.
search: '`powershell` EventCode=4104 ScriptBlockText = "*Find-InterestingDomainAcl*"
| stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest, UserID as user
| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`
| `windows_find_interesting_acl_with_findinterestingdomainacl_filter`'
how_to_implement: The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging.
known_false_positives: Administrators may leverage PowerSploit tools for legitimate reasons, filter as needed.
references:
- https://powersploit.readthedocs.io/en/latest/Recon/Find-InterestingDomainAcl/
- https://attack.mitre.org/techniques/T1087/002/
- https://book.hacktricks.xyz/windows-hardening/basic-powershell-for-pentesters/powerview
tags:
analytic_story:
- Active Directory Discovery
asset_type: Endpoint
confidence: 50
impact: 50
message: Suspicious PowerShell Find-InterestingDomainAcl was identified on endpoint $dest$ by user $user$.
mitre_attack_id:
- T1087
- T1087.002
observable:
- name: dest
type: Hostname
role:
- Victim
- name: user
type: User
role:
- Victim
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
required_fields:
- _time
- EventCode
- Message
- Computer
- UserID
risk_score: 25
security_domain: endpoint
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.002/AD_discovery/windows-powershell-interestingACL-xml.log
source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
sourcetype: xmlwineventlog