Techniques
Sample rules
Domain Group Discovery with Adsisearcher
- source: splunk
- technicques:
- T1069
- T1069.002
Description
The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the [Adsisearcher]
type accelerator being used to query Active Directory for domain groups. Red Teams and adversaries may leverage [Adsisearcher]
to enumerate domain groups for situational awareness and Active Directory Discovery.
Detection logic
`powershell` (ScriptBlockText = "*[adsisearcher]*" AND ScriptBlockText = "*(objectcategory=group)*" AND ScriptBlockText = "*findAll()*")
| stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID
| rename Computer as dest
|rename UserID as user
| `security_content_ctime(firstTime)`
| `domain_group_discovery_with_adsisearcher_filter`
Remote System Discovery with Adsisearcher
- source: splunk
- technicques:
- T1018
Description
The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the [Adsisearcher]
type accelerator being used to query Active Directory for domain computers. Red Teams and adversaries may leverage [Adsisearcher]
to enumerate domain computers for situational awareness and Active Directory Discovery.
Detection logic
`powershell` EventCode=4104 ScriptBlockText = "*adsisearcher*" AND ScriptBlockText = "*objectcategory=computer*" AND ScriptBlockText IN ("*findAll()*","*findOne()*")
| stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID
| rename Computer as dest
|rename UserID as user
| `security_content_ctime(firstTime)`
| `remote_system_discovery_with_adsisearcher_filter`