/
windows_linked_policies_in_adsi_discovery.yml
62 lines (62 loc) · 2.4 KB
/
windows_linked_policies_in_adsi_discovery.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
name: Windows Linked Policies In ADSI Discovery
id: 510ea428-4731-4d2f-8829-a28293e427aa
version: 1
date: '2023-04-14'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
description: The following analytic utilizes PowerShell Script Block Logging (EventCode=4104)
to identify the `[Adsisearcher]` type accelerator being used to query Active Directory
for domain groups. Red Teams and adversaries may leverage `[Adsisearcher]` to enumerate
domain organizational unit for situational awareness and Active Directory Discovery.
data_source:
- Powershell Script Block Logging 4104
search: '`powershell` EventCode=4104 ScriptBlockText = "*[adsisearcher]*" ScriptBlockText
= "*objectcategory=organizationalunit*" ScriptBlockText = "*findAll()*" | stats
count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText
Computer user_id
| rename Computer as dest, user_id as user
| `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`
| `windows_linked_policies_in_adsi_discovery_filter`'
how_to_implement: The following Hunting analytic requires PowerShell operational logs
to be imported. Modify the powershell macro as needed to match the sourcetype or
add index. This analytic is specific to 4104, or PowerShell Script Block Logging.
known_false_positives: Administrators or power users may use this command for troubleshooting.
references:
- https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/
- https://medium.com/@pentesttas/discover-hidden-gpo-s-on-active-directory-using-ps-adsi-a284b6814c81
tags:
analytic_story:
- Data Destruction
- Active Directory Discovery
- Industroyer2
asset_type: Endpoint
confidence: 50
impact: 50
message: Windows PowerShell [Adsisearcher] was used user enumeration on $user$
mitre_attack_id:
- T1087.002
- T1087
observable:
- name: dest
type: Endpoint
role:
- Victim
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
required_fields:
- _time
- EventCode
- ScriptBlockText
- Computer
- user_id
risk_score: 25
security_domain: endpoint
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.002/adsi_discovery/windows-powershell-xml2.log
source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
sourcetype: xmlwineventlog