/
windows_forest_discovery_with_getforestdomain.yml
57 lines (57 loc) · 2.65 KB
/
windows_forest_discovery_with_getforestdomain.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
name: Windows Forest Discovery with GetForestDomain
id: a14803b2-4bd9-4c08-8b57-c37980edebe8
version: 1
date: '2023-08-31'
author: Gowthamaraj Rajendran, Mauricio Velazco, Splunk
status: production
type: TTP
data_source:
- Powershell Script Block Logging 4104
description: This analytic utilizes PowerShell Script Block Logging (EventCode=4104) to detect the execution of the `Get-ForestDomain` commandlet. `Get-ForestDomain` is a component of PowerView, a PowerShell toolkit designed for Windows domain enumeration. Detecting the use of `Get-ForestDomain` is essential as adversaries and Red Teams might employ it to gain insights into the forest and domain configurations of an Active Directory environment. Such information can provide attackers with a broader understanding of the domain structure and potential avenues for lateral movement or privilege escalation.
search: '`powershell` EventCode=4104 ScriptBlockText = "*Get-ForestDomain*"
| stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest, UserID as user
| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`
| `windows_forest_discovery_with_getforestdomain_filter`'
how_to_implement: The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging.
known_false_positives: Administrators may leverage PowerSploit tools for legitimate reasons, filter as needed.
references:
- https://powersploit.readthedocs.io/en/latest/Recon/Get-ForestDomain/
- https://attack.mitre.org/techniques/T1087/002/
- https://book.hacktricks.xyz/windows-hardening/basic-powershell-for-pentesters/powerview
tags:
analytic_story:
- Active Directory Discovery
asset_type: Endpoint
confidence: 50
impact: 50
message: Suspicious PowerShell Get-ForestDomain was identified on endpoint $dest$ by user $user$.
mitre_attack_id:
- T1087
- T1087.002
observable:
- name: dest
type: Hostname
role:
- Victim
- name: user
type: User
role:
- Victim
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
required_fields:
- _time
- EventCode
- Message
- Computer
- UserID
risk_score: 25
security_domain: endpoint
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.002/AD_discovery/windows-powershell-ForestDomain-xml.log
source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
sourcetype: xmlwineventlog