Sample rules
Disabled Kerberos Pre-Authentication Discovery With PowerView
- source: splunk
- technicques:
- T1558
- T1558.004
Description
The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the Get-DomainUser
commandlet with specific parameters. Get-DomainUser
is part of PowerView, a PowerShell tool used to perform enumeration on Windows Active Directory networks. As the name suggests, Get-DomainUser
is used to identify domain users and combining it with -PreauthNotRequired
allows adversaries to discover domain accounts with Kerberos Pre Authentication disabled.
Red Teams and adversaries alike use may leverage PowerView to enumerate these accounts and attempt to crack their passwords offline.
Detection logic
`powershell` EventCode=4104 (ScriptBlockText = "*Get-DomainUser*" AND ScriptBlockText="*PreauthNotRequired*")
| stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText
| rename Computer as dest
| `security_content_ctime(firstTime)`
| `disabled_kerberos_pre_authentication_discovery_with_powerview_filter`
GetDomainComputer with PowerShell Script Block
- source: splunk
- technicques:
- T1018
Description
The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the Get-DomainComputer
commandlet. GetDomainComputer
is part of PowerView, a PowerShell tool used to perform enumeration on Windows domains. Red Teams and adversaries alike may use PowerView to enumerate domain computers for situational awareness and Active Directory Discovery.
Detection logic
`powershell` EventCode=4104 (ScriptBlockText = "*Get-DomainComputer*")
| stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText
| rename Computer as dest
| rename UserID as user
| `security_content_ctime(firstTime)`
| `getdomaincomputer_with_powershell_script_block_filter`
GetDomainController with PowerShell
- source: splunk
- technicques:
- T1018
Description
This analytic looks for the execution of powershell.exe
with command-line arguments utilized to discover remote systems. Get-DomainController
is part of PowerView, a PowerShell tool used to perform enumeration on Windows domains. Red Teams and adversaries alike may leverage PowerView to enumerate domain groups for situational awareness and Active Directory Discovery.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="powershell.exe") (Processes.process=*Get-DomainController*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `getdomaincontroller_with_powershell_filter`
GetDomainComputer with PowerShell
- source: splunk
- technicques:
- T1018
Description
This analytic looks for the execution of powershell.exe
with command-line arguments utilized to discover remote systems. Get-DomainComputer
is part of PowerView, a PowerShell tool used to perform enumeration on Windows domains. Red Teams and adversaries alike may leverage PowerView to enumerate domain groups for situational awareness and Active Directory Discovery.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="powershell.exe") (Processes.process=*Get-DomainComputer*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `getdomaincomputer_with_powershell_filter`