LoFP / administrators or power users may use adsisearcher for troubleshooting.

Techniques

• T1018
• T1069
• T1069.002

Sample rules

Remote System Discovery with Adsisearcher

• source: splunk
• technicques:
  • T1018

Description

The following analytic detects the use of the [Adsisearcher] type accelerator in PowerShell scripts to query Active Directory for domain computers. It leverages PowerShell Script Block Logging (EventCode=4104) to identify specific script blocks containing adsisearcher and objectcategory=computer with methods like findAll() or findOne(). This activity is significant as it may indicate an attempt by adversaries or Red Teams to perform Active Directory discovery and gain situational awareness. If confirmed malicious, this could lead to further reconnaissance and potential lateral movement within the network.

Detection logic

`powershell` EventCode=4104 ScriptBlockText = "*adsisearcher*" AND ScriptBlockText = "*objectcategory=computer*" AND ScriptBlockText IN ("*findAll()*","*findOne()*") 
| stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID 
| rename Computer as dest 
|rename UserID as user 
| `security_content_ctime(firstTime)` 
| `remote_system_discovery_with_adsisearcher_filter`

Domain Group Discovery with Adsisearcher

• source: splunk
• technicques:
  • T1069
  • T1069.002

Description

The following analytic detects the use of the [Adsisearcher] type accelerator in PowerShell to query Active Directory for domain groups. It leverages PowerShell Script Block Logging (EventCode=4104) to identify specific script blocks containing [adsisearcher] and group-related queries. This activity is significant as it may indicate an attempt by adversaries or Red Teams to enumerate domain groups for situational awareness and Active Directory discovery. If confirmed malicious, this behavior could lead to further reconnaissance, privilege escalation, or lateral movement within the network.

Detection logic

`powershell` (ScriptBlockText = "*[adsisearcher]*" AND ScriptBlockText = "*(objectcategory=group)*" AND ScriptBlockText = "*findAll()*") 
| stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID 
| rename Computer as dest 
|rename UserID as user 
| `security_content_ctime(firstTime)` 
| `domain_group_discovery_with_adsisearcher_filter`