LoFP LoFP / administrators may leverage powersploit tools for legitimate reasons, filter as needed.

Techniques

Sample rules

Windows Find Domain Organizational Units with GetDomainOU

Description

This analytic leverages PowerShell Script Block Logging (EventCode=4104) to detect the execution of the Get-DomainOU commandlet. Get-DomainOU is a component of PowerView, a PowerShell toolkit designed for Windows domain enumeration. Identifying the use of Get-DomainOU is crucial as adversaries and Red Teams might employ it to gain insights into organizational units within Active Directory, potentially aiding in lateral movement or privilege escalation strategies.

Detection logic

`powershell` EventCode=4104 ScriptBlockText = "*Get-DomainOU*" 
| stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID 
| rename Computer as dest, UserID as user 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `windows_find_domain_organizational_units_with_getdomainou_filter`

Windows Get Local Admin with FindLocalAdminAccess

Description

This analytic leverages PowerShell Script Block Logging (EventCode=4104) to detect the execution of the Find-LocalAdminAccess commandlet. Find-LocalAdminAccess is part of PowerView, a PowerShell toolkit designed for Windows domain enumeration. Detecting the use of Find-LocalAdminAccess is vital as adversaries and Red Teams might employ it to identify machines where the current user context has local administrator access. Such information can provide attackers with potential targets for lateral movement or privilege escalation within the network.

Detection logic

`powershell` EventCode=4104 ScriptBlockText = "*Find-LocalAdminAccess*" 
| stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID 
| rename Computer as dest, UserID as user 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `windows_get_local_admin_with_findlocaladminaccess_filter`

Windows Find Interesting ACL with FindInterestingDomainAcl

Description

This analytic leverages PowerShell Script Block Logging (EventCode=4104) to detect the execution of the Find-InterestingDomainAcl commandlet. Find-InterestingDomainAcl is part of PowerView, a PowerShell toolkit designed for Windows domain enumeration. Detecting the use of Find-InterestingDomainAcl is crucial as adversaries and Red Teams might employ it to identify unusual or misconfigured Access Control Lists (ACLs) within the domain. Such ACLs can provide attackers with insights into potential privilege escalation opportunities or weak security postures within Active Directory.

Detection logic

`powershell` EventCode=4104 ScriptBlockText = "*Find-InterestingDomainAcl*" 
| stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID 
| rename Computer as dest, UserID as user 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `windows_find_interesting_acl_with_findinterestingdomainacl_filter`

Windows Forest Discovery with GetForestDomain

Description

This analytic utilizes PowerShell Script Block Logging (EventCode=4104) to detect the execution of the Get-ForestDomain commandlet. Get-ForestDomain is a component of PowerView, a PowerShell toolkit designed for Windows domain enumeration. Detecting the use of Get-ForestDomain is essential as adversaries and Red Teams might employ it to gain insights into the forest and domain configurations of an Active Directory environment. Such information can provide attackers with a broader understanding of the domain structure and potential avenues for lateral movement or privilege escalation.

Detection logic

`powershell` EventCode=4104 ScriptBlockText = "*Get-ForestDomain*" 
| stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID 
| rename Computer as dest, UserID as user 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `windows_forest_discovery_with_getforestdomain_filter`