Techniques
Sample rules
GetDomainGroup with PowerShell Script Block
- source: splunk
- technicques:
- T1069
- T1069.002
Description
The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the Get-DomainGroup commandlet. Get-DomainGroup is part of PowerView, a PowerShell tool used to perform enumeration on Windows domains. As the name suggests, Get-DomainGroup is used to query domain groups. Red Teams and adversaries may leverage this function to enumerate domain groups for situational awareness and Active Directory Discovery.
Detection logic
`powershell` EventCode=4104 (ScriptBlockText = "*Get-DomainGroup*")
| stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText
| `security_content_ctime(firstTime)`
| `getdomaingroup_with_powershell_script_block_filter`