LoFP / administrators may leverage powersploit tools for legitimate reasons, filter as needed.

Techniques

• T1087
• T1087.002

Sample rules

Windows Find Domain Organizational Units with GetDomainOU

• source: splunk
• technicques:
  • T1087
  • T1087.002

Description

The following analytic detects the execution of the Get-DomainOU cmdlet, a part of the PowerView toolkit used for Windows domain enumeration. It leverages PowerShell Script Block Logging (EventCode=4104) to identify this activity. Detecting Get-DomainOU usage is significant as adversaries may use it to gather information about organizational units within Active Directory, which can facilitate lateral movement or privilege escalation. If confirmed malicious, this activity could allow attackers to map the domain structure, aiding in further exploitation and persistence within the network.

Detection logic

`powershell` EventCode=4104 ScriptBlockText = "*Get-DomainOU*" 
| stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID 
| rename Computer as dest, UserID as user 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `windows_find_domain_organizational_units_with_getdomainou_filter`

Windows Find Interesting ACL with FindInterestingDomainAcl

• source: splunk
• technicques:
  • T1087
  • T1087.002

Description

The following analytic detects the execution of the Find-InterestingDomainAcl cmdlet, part of the PowerView toolkit, using PowerShell Script Block Logging (EventCode=4104). This detection leverages logs to identify when this command is run, which is significant as adversaries may use it to find misconfigured or unusual Access Control Lists (ACLs) within a domain. If confirmed malicious, this activity could allow attackers to identify privilege escalation opportunities or weak security configurations in Active Directory, potentially leading to unauthorized access or further exploitation.

Detection logic

`powershell` EventCode=4104 ScriptBlockText = "*Find-InterestingDomainAcl*" 
| stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID 
| rename Computer as dest, UserID as user 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `windows_find_interesting_acl_with_findinterestingdomainacl_filter`

Windows Get Local Admin with FindLocalAdminAccess

• source: splunk
• technicques:
  • T1087
  • T1087.002

Description

The following analytic detects the execution of the Find-LocalAdminAccess cmdlet using PowerShell Script Block Logging (EventCode=4104). This cmdlet is part of PowerView, a toolkit for Windows domain enumeration. Identifying the use of Find-LocalAdminAccess is crucial as adversaries may use it to find machines where the current user has local administrator access, facilitating lateral movement or privilege escalation. If confirmed malicious, this activity could allow attackers to target and compromise additional systems within the network, significantly increasing their control and access to sensitive information.

Detection logic

`powershell` EventCode=4104 ScriptBlockText = "*Find-LocalAdminAccess*" 
| stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID 
| rename Computer as dest, UserID as user 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `windows_get_local_admin_with_findlocaladminaccess_filter`

Windows Forest Discovery with GetForestDomain

• source: splunk
• technicques:
  • T1087
  • T1087.002

Description

The following analytic detects the execution of the Get-ForestDomain cmdlet, a component of the PowerView toolkit used for Windows domain enumeration. It leverages PowerShell Script Block Logging (EventCode=4104) to identify this activity. Detecting Get-ForestDomain is significant because adversaries and Red Teams use it to gather detailed information about Active Directory forest and domain configurations. If confirmed malicious, this activity could enable attackers to understand the domain structure, facilitating lateral movement or privilege escalation within the environment.

Detection logic

`powershell` EventCode=4104 ScriptBlockText = "*Get-ForestDomain*" 
| stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID 
| rename Computer as dest, UserID as user 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `windows_forest_discovery_with_getforestdomain_filter`