LoFP LoFP / administrators or power users may use this powershell commandlet for troubleshooting.

Techniques

Sample rules

Exchange PowerShell Module Usage

Description

The following analytic identifies the usage of Exchange PowerShell modules that were recently used for a proof of concept related to ProxyShell. Adversaries may abuse a limited set of PwSh Modules related to Exchange once gained access via ProxyShell or ProxyNotShell. Inherently, the usage of the modules is not malicious, but reviewing parallel processes, and user, of the session will assist with determining the intent. Module - New-MailboxExportRequest will begin the process of exporting contents of a primary mailbox or archive to a .pst file. Module - New-managementroleassignment can assign a management role to a management role group, management role assignment policy, user, or universal security group (USG). Module - New-MailboxSearch cmdlet to create a mailbox search and either get an estimate of search results, place search results on In-Place Hold or copy them to a Discovery mailbox. You can also place all contents in a mailbox on hold by not specifying a search query, which accomplishes similar results as Litigation Hold. \ Module - Get-Recipient cmdlet to view existing recipient objects in your organization. This cmdlet returns all mail-enabled objects (for example, mailboxes, mail users, mail contacts, and distribution groups).

Detection logic

`powershell` EventCode=4104 ScriptBlockText IN ("*New-MailboxExportRequest*", "*New-ManagementRoleAssignment*", "*New-MailboxSearch*", "*Get-Recipient*", "Search-Mailbox") 
| stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText 
| rename Computer as dest 
|rename UserID as user 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `exchange_powershell_module_usage_filter`

GetWmiObject Ds Computer with PowerShell Script Block

Description

The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the Get-WmiObject commandlet. The DS_Computer class parameter leverages WMI to query for all domain computers. Red Teams and adversaries may leverage this commandlet to enumerate domain computers for situational awareness and Active Directory Discovery.

Detection logic

`powershell` EventCode=4104 (ScriptBlockText=*Get-WmiObject* AND ScriptBlockText="*namespace root\\directory\\ldap*" AND ScriptBlockText="*class ds_computer*") 
| stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText 
| `security_content_ctime(firstTime)` 
| `getwmiobject_ds_computer_with_powershell_script_block_filter`

GetLocalUser with PowerShell

Description

This analytic looks for the execution of powershell.exe with command-line arguments utilized to query for local users. The Get-LocalUser commandlet is used to return a list of all local users. Red Teams and adversaries may leverage this commandlet to enumerate users for situational awareness and Active Directory Discovery.

Detection logic


| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="powershell.exe") (Processes.process=*Get-LocalUser*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id 
| `drop_dm_object_name(Processes)` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `getlocaluser_with_powershell_filter`

User Discovery With Env Vars PowerShell Script Block

Description

The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the use of PowerShell environment variables to identify the current logged user. Red Teams and adversaries may leverage this method to identify the logged user on a compromised endpoint for situational awareness and Active Directory Discovery.

Detection logic

`powershell` EventCode=4104 (ScriptBlockText = "*$env:UserName*" OR ScriptBlockText = "*[System.Environment]::UserName*") 
| stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id 
| rename Computer as dest, user_id as user 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `user_discovery_with_env_vars_powershell_script_block_filter`

GetCurrent User with PowerShell Script Block

Description

The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the GetCurrent method of the WindowsIdentity .NET class. This method returns an object that represents the current Windows user. Red Teams and adversaries may leverage this method to identify the logged user on a compromised endpoint for situational awareness and Active Directory Discovery.

Detection logic

`powershell` EventCode=4104 ScriptBlockText = "*[System.Security.Principal.WindowsIdentity]*"  ScriptBlockText = "*GetCurrent()*" 
| stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID 
| rename Computer as dest, UserID as user 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `getcurrent_user_with_powershell_script_block_filter`

GetDomainController with PowerShell Script Block

Description

The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the Get-DomainController commandlet. Get-DomainController is part of PowerView, a PowerShell tool used to perform enumeration on Windows domains. Red Teams and adversaries alike may use PowerView to enumerate domain computers for situational awareness and Active Directory Discovery.

Detection logic

`powershell` EventCode=4104 (ScriptBlockText = "*Get-DomainController*") 
| stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText 
| `security_content_ctime(firstTime)` 
| `getdomaincontroller_with_powershell_script_block_filter`

GetAdComputer with PowerShell Script Block

Description

The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the Get-AdGroup commandlet. The Get-AdGroup commandlet is used to return a list of all domain computers. Red Teams and adversaries may leverage this commandlet to enumerate domain computers for situational awareness and Active Directory Discovery.

Detection logic

`powershell` EventCode=4104 (ScriptBlockText = "*Get-AdComputer*") 
| stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText 
| `security_content_ctime(firstTime)` 
| `getadcomputer_with_powershell_script_block_filter`

GetWmiObject User Account with PowerShell Script Block

Description

The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the Get-WmiObject commandlet used with specific parameters. The Win32_UserAccount parameter is used to return a list of all local users. Red Teams and adversaries may leverage this commandlet to enumerate users for situational awareness and Active Directory Discovery.

Detection logic

`powershell` EventCode=4104 (ScriptBlockText="*Get-WmiObject*" AND ScriptBlockText="*Win32_UserAccount*") 
| stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID 
| `security_content_ctime(firstTime)` 
| `getwmiobject_user_account_with_powershell_script_block_filter`

GetNetTcpconnection with PowerShell Script Block

Description

The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the Get-NetTcpconnection commandlet. This commandlet is used to return a listing of network connections on a compromised system. Red Teams and adversaries alike may use this commandlet for situational awareness and Active Directory Discovery.

Detection logic

`powershell` EventCode=4104 (ScriptBlockText = "*Get-NetTcpconnection*") 
| stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText 
| `security_content_ctime(firstTime)` 
| `getnettcpconnection_with_powershell_script_block_filter`

GetWmiObject Ds Group with PowerShell Script Block

Description

The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the Get-WmiObject commandlet used with specific parameters . The DS_Group parameter leverages WMI to query for all domain groups. Red Teams and adversaries may leverage this commandlet to enumerate domain groups for situational awareness and Active Directory Discovery.

Detection logic

`powershell` EventCode=4104 (ScriptBlockText=*Get-WmiObject* AND ScriptBlockText="*namespace root\\directory\\ldap*" AND ScriptBlockText="*class ds_group*") 
| stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText 
| rename Computer as dest 
| rename UserID as user 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)`
|`getwmiobject_ds_group_with_powershell_script_block_filter`

GetAdGroup with PowerShell Script Block

Description

The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the Get-AdGroup commandlet. The Get-AdGroup commandlet is used to return a list of all domain groups. Red Teams and adversaries may leverage this commandlet to enumerate domain groups for situational awareness and Active Directory Discovery.

Detection logic

`powershell` EventCode=4104 ScriptBlockText = "*Get-ADGroup*" 
| stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID 
| rename Computer as dest, UserID as user 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `getadgroup_with_powershell_script_block_filter`

GetLocalUser with PowerShell Script Block

Description

The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the Get-LocalUser commandlet. The Get-LocalUser commandlet is used to return a list of all local users. Red Teams and adversaries may leverage this commandlet to enumerate users for situational awareness and Active Directory Discovery.

Detection logic

`powershell` EventCode=4104 (ScriptBlockText = "*Get-LocalUser*") 
| stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `getlocaluser_with_powershell_script_block_filter`

GetWmiObject User Account with PowerShell

Description

This analytic looks for the execution of powershell.exe with command-line arguments utilized to query local users. The Get-WmiObject commandlet combined with the Win32_UserAccount parameter is used to return a list of all local users. Red Teams and adversaries may leverage this commandlet to enumerate users for situational awareness and Active Directory Discovery.

Detection logic


| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.process_name="powershell.exe") (Processes.process=*Get-WmiObject* AND Processes.process=*Win32_UserAccount*) by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id 
| `drop_dm_object_name(Processes)` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `getwmiobject_user_account_with_powershell_filter`