Techniques
Sample rules
Windows Find Domain Organizational Units with GetDomainOU
- source: splunk
- technicques:
- T1087
- T1087.002
Description
This analytic leverages PowerShell Script Block Logging (EventCode=4104) to detect the execution of the Get-DomainOU
commandlet. Get-DomainOU
is a component of PowerView, a PowerShell toolkit designed for Windows domain enumeration. Identifying the use of Get-DomainOU
is crucial as adversaries and Red Teams might employ it to gain insights into organizational units within Active Directory, potentially aiding in lateral movement or privilege escalation strategies.
Detection logic
`powershell` EventCode=4104 ScriptBlockText = "*Get-DomainOU*"
| stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID
| rename Computer as dest, UserID as user
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_find_domain_organizational_units_with_getdomainou_filter`
Windows Get Local Admin with FindLocalAdminAccess
- source: splunk
- technicques:
- T1087
- T1087.002
Description
This analytic leverages PowerShell Script Block Logging (EventCode=4104) to detect the execution of the Find-LocalAdminAccess
commandlet. Find-LocalAdminAccess
is part of PowerView, a PowerShell toolkit designed for Windows domain enumeration. Detecting the use of Find-LocalAdminAccess
is vital as adversaries and Red Teams might employ it to identify machines where the current user context has local administrator access. Such information can provide attackers with potential targets for lateral movement or privilege escalation within the network.
Detection logic
`powershell` EventCode=4104 ScriptBlockText = "*Find-LocalAdminAccess*"
| stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID
| rename Computer as dest, UserID as user
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_get_local_admin_with_findlocaladminaccess_filter`
Windows Find Interesting ACL with FindInterestingDomainAcl
- source: splunk
- technicques:
- T1087
- T1087.002
Description
This analytic leverages PowerShell Script Block Logging (EventCode=4104) to detect the execution of the Find-InterestingDomainAcl
commandlet. Find-InterestingDomainAcl
is part of PowerView, a PowerShell toolkit designed for Windows domain enumeration. Detecting the use of Find-InterestingDomainAcl
is crucial as adversaries and Red Teams might employ it to identify unusual or misconfigured Access Control Lists (ACLs) within the domain. Such ACLs can provide attackers with insights into potential privilege escalation opportunities or weak security postures within Active Directory.
Detection logic
`powershell` EventCode=4104 ScriptBlockText = "*Find-InterestingDomainAcl*"
| stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID
| rename Computer as dest, UserID as user
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_find_interesting_acl_with_findinterestingdomainacl_filter`
Windows Forest Discovery with GetForestDomain
- source: splunk
- technicques:
- T1087
- T1087.002
Description
This analytic utilizes PowerShell Script Block Logging (EventCode=4104) to detect the execution of the Get-ForestDomain
commandlet. Get-ForestDomain
is a component of PowerView, a PowerShell toolkit designed for Windows domain enumeration. Detecting the use of Get-ForestDomain
is essential as adversaries and Red Teams might employ it to gain insights into the forest and domain configurations of an Active Directory environment. Such information can provide attackers with a broader understanding of the domain structure and potential avenues for lateral movement or privilege escalation.
Detection logic
`powershell` EventCode=4104 ScriptBlockText = "*Get-ForestDomain*"
| stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID
| rename Computer as dest, UserID as user
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_forest_discovery_with_getforestdomain_filter`