LoFP / administrators may leverage powerview for legitimate purposes, filter as needed.

Techniques

• T1069
• T1078.002
• T1087
• T1087.001
• T1087.002

Sample rules

Windows PowerView AD Access Control List Enumeration

• source: splunk
• technicques:
  • T1078.002
  • T1069

Description

The following analytic leverages Event ID 4104 to identify the execution of the PowerView powershell commandlets Get-ObjectAcl or Get-DomainObjectAcl. This commandlets are used to enumerate Access Control List permissions given to Active Directory objects. In an active directory environment, an object is an entity that represents an available resource within the organizations network, such as domain controllers, users, groups, computers, shares, etc. Maintaining Active Directory permissions is complicated and hard to manage, especially in complex and large environments with multiple domains. Weak permissions may allow adversaries and red teamers to escalate their privileges in Active Directory. PowerView is a common tool leveraged by attackers to identify and exploit configuration weaknesses.

Detection logic

 `powershell` EventCode=4104  (ScriptBlockText=*get-objectacl* OR ScriptBlockText=*Get-DomainObjectAcl* ) 
| stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `windows_powerview_ad_access_control_list_enumeration_filter`

Windows Domain Account Discovery Via Get-NetComputer

• source: splunk
• technicques:
  • T1087
  • T1087.002

Description

The following analytic leverages Event ID 4104 to identify the execution of the PowerView powershell commandlets Get-NetComputer. This technique was seen used in the context of PowerView’s Get-NetUser cmdlet as a filter or parameter to query Active Directory user account’s “samccountname”, “accountexpires”, “lastlogon” and so on. This hunting query is a good pivot to look for suspicious process or malware that gather user account information in a host or within network system.

Detection logic

`powershell` EventCode=4104  ScriptBlockText = "*Get-NetComputer*" ScriptBlockText IN ("*samaccountname*", "*accountexpires*", "*lastlogon*", "*lastlogoff*", "*pwdlastset*", "*logoncount*") 
| rename Computer as dest, UserID as user 
| stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText dest user 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `windows_domain_account_discovery_via_get_netcomputer_filter`

Windows Account Discovery for None Disable User Account

• source: splunk
• technicques:
  • T1087
  • T1087.001

Description

The following analytic utilizes PowerShell Script Block Logging to identify the execution of the PowerView PowerShell commandlet Get-NetUser. In the context of PowerView’s Get-NetUser cmdlet as a filter or parameter to query Active Directory user accounts that are not disabled. The full script block text based on the CISA-23-347A advisory is “Get-NetUser -UACFilter NOT_ACCOUNTDISABLE”. Utilize this query to identify potential suspicious activity of user account enumeration.

Detection logic

`powershell` EventCode=4104  ScriptBlockText = "*Get-NetUser*" ScriptBlockText = "*NOT_ACCOUNTDISABLE*" ScriptBlockText = "*-UACFilter*" 
| rename Computer as dest, UserID as user 
| stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText dest user 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `windows_account_discovery_for_none_disable_user_account_filter`

Windows Account Discovery for Sam Account Name

• source: splunk
• technicques:
  • T1087

Description

The following analytic leverages Event ID 4104 to identify the execution of the PowerView powershell commandlets Get-NetUser. In the context of PowerView’s Get-NetUser cmdlet as a filter or parameter to query Active Directory user account’s “samccountname”. This hunting query is a good pivot to look for suspicious process or malware that gather user account information in a host or within network system.

Detection logic

`powershell` EventCode=4104  ScriptBlockText = "*Get-NetUser*" ScriptBlockText IN ("*samaccountname*", "*pwdlastset*") 
| rename Computer as dest, UserID as user 
| stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText dest user 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `windows_account_discovery_for_sam_account_name_filter`

Windows Account Discovery With NetUser PreauthNotRequire

• source: splunk
• technicques:
  • T1087

Description

The following analytic leverages Event ID 4104 to identify the execution of the PowerView powershell commandlets Get-NetUser. This technique was observed in the context of PowerView’s Get-NetUser cmdlet as a filter or parameter to query Active Directory user accounts that do not require preauthentication for Kerberos. This hunting query is a good pivot to look for suspicious process or malware that gather user account information in a host or within network system.

Detection logic

`powershell` EventCode=4104  ScriptBlockText = "*Get-NetUser*" ScriptBlockText = "*-PreauthNotRequire*" 
| rename Computer as dest, UserID as user 
| stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText dest user 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `windows_account_discovery_with_netuser_preauthnotrequire_filter`