LoFP LoFP / administrators may leverage powerview for legitimate purposes, filter as needed.

Techniques

Sample rules

Windows Account Discovery for None Disable User Account

Description

The following analytic detects the execution of the PowerView PowerShell cmdlet Get-NetUser with the UACFilter parameter set to NOT_ACCOUNTDISABLE, indicating an attempt to enumerate Active Directory user accounts that are not disabled. This detection leverages PowerShell Script Block Logging (EventCode 4104) to identify the specific script block text. Monitoring this activity is significant as it may indicate reconnaissance efforts by an attacker to identify active user accounts for further exploitation. If confirmed malicious, this activity could lead to unauthorized access, privilege escalation, or lateral movement within the network.

Detection logic

`powershell` EventCode=4104  ScriptBlockText = "*Get-NetUser*" ScriptBlockText = "*NOT_ACCOUNTDISABLE*" ScriptBlockText = "*-UACFilter*" 
| rename Computer as dest, UserID as user 
| stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText dest user 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `windows_account_discovery_for_none_disable_user_account_filter`

Windows Account Discovery for Sam Account Name

Description

The following analytic detects the execution of the PowerView PowerShell cmdlet Get-NetUser, specifically querying for “samaccountname” and “pwdlastset” attributes. It leverages Event ID 4104 from PowerShell Script Block Logging to identify this activity. This behavior is significant as it may indicate an attempt to gather user account information from Active Directory, which is a common reconnaissance step in lateral movement or privilege escalation attacks. If confirmed malicious, this activity could allow an attacker to map out user accounts, potentially leading to further exploitation and unauthorized access within the network.

Detection logic

`powershell` EventCode=4104  ScriptBlockText = "*Get-NetUser*" ScriptBlockText IN ("*samaccountname*", "*pwdlastset*") 
| rename Computer as dest, UserID as user 
| stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText dest user 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `windows_account_discovery_for_sam_account_name_filter`

Windows Account Discovery With NetUser PreauthNotRequire

Description

The following analytic detects the execution of the PowerView PowerShell cmdlet Get-NetUser with the -PreauthNotRequire parameter, leveraging Event ID 4104. This method identifies attempts to query Active Directory user accounts that do not require Kerberos preauthentication. Monitoring this activity is crucial as it can indicate reconnaissance efforts by an attacker to identify potentially vulnerable accounts. If confirmed malicious, this behavior could lead to further exploitation, such as unauthorized access or privilege escalation within the network.

Detection logic

`powershell` EventCode=4104  ScriptBlockText = "*Get-NetUser*" ScriptBlockText = "*-PreauthNotRequire*" 
| rename Computer as dest, UserID as user 
| stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText dest user 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `windows_account_discovery_with_netuser_preauthnotrequire_filter`

Windows Domain Account Discovery Via Get-NetComputer

Description

The following analytic detects the execution of the PowerView PowerShell cmdlet Get-NetComputer, which is used to query Active Directory for user account details such as “samaccountname,” “accountexpires,” “lastlogon,” and more. It leverages Event ID 4104 from PowerShell Script Block Logging to identify this activity. This behavior is significant as it may indicate an attempt to gather user account information, which is often a precursor to further malicious actions. If confirmed malicious, this activity could lead to unauthorized access, privilege escalation, or lateral movement within the network.

Detection logic

`powershell` EventCode=4104  ScriptBlockText = "*Get-NetComputer*" ScriptBlockText IN ("*samaccountname*", "*accountexpires*", "*lastlogon*", "*lastlogoff*", "*pwdlastset*", "*logoncount*") 
| rename Computer as dest, UserID as user 
| stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText dest user 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `windows_domain_account_discovery_via_get_netcomputer_filter`

Windows PowerView AD Access Control List Enumeration

Description

The following analytic detects the execution of PowerView PowerShell cmdlets Get-ObjectAcl or Get-DomainObjectAcl, which are used to enumerate Access Control List (ACL) permissions for Active Directory objects. It leverages Event ID 4104 from PowerShell Script Block Logging to identify this activity. This behavior is significant as it may indicate an attempt to discover weak permissions in Active Directory, potentially leading to privilege escalation. If confirmed malicious, attackers could exploit these permissions to gain unauthorized access or escalate their privileges within the network.

Detection logic

`powershell` EventCode=4104  (ScriptBlockText=*get-objectacl* OR ScriptBlockText=*Get-DomainObjectAcl* ) 
| stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `windows_powerview_ad_access_control_list_enumeration_filter`