administrators or power users may use adsisearcher for troubleshooting.

Techniques

Sample rules

Domain Group Discovery with Adsisearcher

source: splunk
technicques:
- T1069
- T1069.002

Description

The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the [Adsisearcher] type accelerator being used to query Active Directory for domain groups. Red Teams and adversaries may leverage [Adsisearcher] to enumerate domain groups for situational awareness and Active Directory Discovery.

Detection logic

`powershell` (ScriptBlockText = "*[adsisearcher]*" AND ScriptBlockText = "*(objectcategory=group)*" AND ScriptBlockText = "*findAll()*") 
| stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID 
| rename Computer as dest 
|rename UserID as user 
| `security_content_ctime(firstTime)` 
| `domain_group_discovery_with_adsisearcher_filter`

Remote System Discovery with Adsisearcher

source: splunk
technicques:
- T1018

Description

The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the [Adsisearcher] type accelerator being used to query Active Directory for domain computers. Red Teams and adversaries may leverage [Adsisearcher] to enumerate domain computers for situational awareness and Active Directory Discovery.

Detection logic

`powershell` EventCode=4104 ScriptBlockText = "*adsisearcher*" AND ScriptBlockText = "*objectcategory=computer*" AND ScriptBlockText IN ("*findAll()*","*findOne()*") 
| stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID 
| rename Computer as dest 
|rename UserID as user 
| `security_content_ctime(firstTime)` 
| `remote_system_discovery_with_adsisearcher_filter`