LoFP LoFP / administrators or power users may use powerview for troubleshooting

Sample rules

Disabled Kerberos Pre-Authentication Discovery With PowerView

Description

The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the Get-DomainUser commandlet with specific parameters. Get-DomainUser is part of PowerView, a PowerShell tool used to perform enumeration on Windows Active Directory networks. As the name suggests, Get-DomainUser is used to identify domain users and combining it with -PreauthNotRequired allows adversaries to discover domain accounts with Kerberos Pre Authentication disabled. Red Teams and adversaries alike use may leverage PowerView to enumerate these accounts and attempt to crack their passwords offline.

Detection logic

 `powershell` EventCode=4104 (ScriptBlockText = "*Get-DomainUser*" AND ScriptBlockText="*PreauthNotRequired*") 
| stats count min(_time)  as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText 
| rename Computer as dest 
| `security_content_ctime(firstTime)` 
| `disabled_kerberos_pre_authentication_discovery_with_powerview_filter`

GetDomainComputer with PowerShell Script Block

Description

The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the Get-DomainComputer commandlet. GetDomainComputer is part of PowerView, a PowerShell tool used to perform enumeration on Windows domains. Red Teams and adversaries alike may use PowerView to enumerate domain computers for situational awareness and Active Directory Discovery.

Detection logic

`powershell` EventCode=4104 (ScriptBlockText = "*Get-DomainComputer*") 
| stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText 
| rename Computer as dest 
| rename UserID as user 
| `security_content_ctime(firstTime)` 
| `getdomaincomputer_with_powershell_script_block_filter`

GetDomainController with PowerShell

Description

This analytic looks for the execution of powershell.exe with command-line arguments utilized to discover remote systems. Get-DomainController is part of PowerView, a PowerShell tool used to perform enumeration on Windows domains. Red Teams and adversaries alike may leverage PowerView to enumerate domain groups for situational awareness and Active Directory Discovery.

Detection logic


| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="powershell.exe") (Processes.process=*Get-DomainController*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id 
| `drop_dm_object_name(Processes)` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `getdomaincontroller_with_powershell_filter`

GetDomainComputer with PowerShell

Description

This analytic looks for the execution of powershell.exe with command-line arguments utilized to discover remote systems. Get-DomainComputer is part of PowerView, a PowerShell tool used to perform enumeration on Windows domains. Red Teams and adversaries alike may leverage PowerView to enumerate domain groups for situational awareness and Active Directory Discovery.

Detection logic


| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="powershell.exe") (Processes.process=*Get-DomainComputer*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id 
| `drop_dm_object_name(Processes)` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `getdomaincomputer_with_powershell_filter`