Techniques
Sample rules
Windows PowerView Constrained Delegation Discovery
- source: splunk
- technicques:
- T1018
Description
The following analytic detects the use of PowerView commandlets to discover Windows endpoints with Kerberos Constrained Delegation. It leverages PowerShell Script Block Logging (EventCode=4104) to identify specific commandlets like Get-DomainComputer or Get-NetComputer with the -TrustedToAuth parameter. This activity is significant as it indicates potential reconnaissance efforts by adversaries or Red Teams to map out privileged delegation settings in Active Directory. If confirmed malicious, this could allow attackers to identify high-value targets for further exploitation, potentially leading to privilege escalation or lateral movement within the network.
Detection logic
`powershell` EventCode=4104 (ScriptBlockText = "*Get-DomainComputer*" OR ScriptBlockText = "*Get-NetComputer*") AND (ScriptBlockText = "*-TrustedToAuth*")
| stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID
| rename Computer as dest
| rename UserID as user
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_powerview_constrained_delegation_discovery_filter`
Windows Get-AdComputer Unconstrained Delegation Discovery
- source: splunk
- technicques:
- T1018
Description
The following analytic detects the use of the Get-ADComputer cmdlet with parameters indicating a search for Windows endpoints with Kerberos Unconstrained Delegation. It leverages PowerShell Script Block Logging (EventCode=4104) to identify this specific activity. This behavior is significant as it may indicate an attempt by adversaries or Red Teams to gain situational awareness and perform Active Directory discovery. If confirmed malicious, this activity could allow attackers to identify high-value targets for further exploitation, potentially leading to privilege escalation or lateral movement within the network.
Detection logic
`powershell` EventCode=4104 (ScriptBlockText = "*Get-ADComputer*" AND ScriptBlockText = "*TrustedForDelegation*")
| stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID
| rename Computer as dest
| rename UserID as user
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_get_adcomputer_unconstrained_delegation_discovery_filter`
Windows PowerView Unconstrained Delegation Discovery
- source: splunk
- technicques:
- T1018
Description
The following analytic detects the use of PowerView commandlets to discover Windows endpoints with Kerberos Unconstrained Delegation. It leverages PowerShell Script Block Logging (EventCode=4104) to identify specific commands like Get-DomainComputer or Get-NetComputer with the -Unconstrained parameter. This activity is significant as it indicates potential reconnaissance efforts by adversaries or Red Teams to map out privileged delegation settings in Active Directory. If confirmed malicious, this could allow attackers to identify high-value targets for further exploitation, potentially leading to privilege escalation or lateral movement within the network.
Detection logic
`powershell` EventCode=4104 (ScriptBlockText = "*Get-DomainComputer*" OR ScriptBlockText = "*Get-NetComputer*") AND (ScriptBlockText = "*-Unconstrained*")
| stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID
| rename Computer as dest
| rename UserID as user
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_powerview_unconstrained_delegation_discovery_filter`