Techniques
Sample rules
Disabled Kerberos Pre-Authentication Discovery With Get-ADUser
- source: splunk
- technicques:
- T1558
- T1558.004
Description
The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the Get-ADUser commandlet with specific parameters. Get-ADUser is part of the Active Directory PowerShell module used to manage Windows Active Directory networks. As the name suggests, Get-ADUser is used to query for domain users. With the appropiate parameters, Get-ADUser allows adversaries to discover domain accounts with Kerberos Pre Authentication disabled.\ Red Teams and adversaries alike use may abuse Get-ADUSer to enumerate these accounts and attempt to crack their passwords offline.
Detection logic
`powershell` EventCode=4104 (ScriptBlockText = "*Get-ADUser*" AND ScriptBlockText="*4194304*")
| stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText
| rename Computer as dest
| `security_content_ctime(firstTime)`
| `disabled_kerberos_pre_authentication_discovery_with_get_aduser_filter`