LoFP / it is possible there will be false positives, filter as needed.

Techniques

• T1059
• T1059.001
• T1115

Sample rules

PowerShell Domain Enumeration

• source: splunk
• technicques:
  • T1059
  • T1059.001

Description

The following analytic detects the execution of PowerShell commands used for domain enumeration, such as get-netdomaintrust and get-adgroupmember. It leverages PowerShell Script Block Logging (EventCode=4104) to capture and analyze the full command sent to PowerShell. This activity is significant as it often indicates reconnaissance efforts by an attacker to map out the domain structure and identify key users and groups. If confirmed malicious, this behavior could lead to further targeted attacks, privilege escalation, and unauthorized access to sensitive information within the domain.

Detection logic

`powershell` EventCode=4104 ScriptBlockText IN (*get-netdomaintrust*, *get-netforesttrust*, *get-addomain*, *get-adgroupmember*, *get-domainuser*) 
| stats count min(_time) as firstTime max(_time) as lastTime by Computer EventCode ScriptBlockText UserID 
| rename Computer as dest 
| rename UserID as user 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `powershell_domain_enumeration_filter`

Windows ClipBoard Data via Get-ClipBoard

• source: splunk
• technicques:
  • T1115

Description

The following analytic detects the execution of the PowerShell command ‘Get-Clipboard’ to retrieve clipboard data. It leverages PowerShell Script Block Logging (EventCode 4104) to identify instances where this command is used. This activity is significant because it can indicate an attempt to steal sensitive information such as usernames, passwords, or other confidential data copied to the clipboard. If confirmed malicious, this behavior could lead to unauthorized access to sensitive information, potentially compromising user accounts and other critical assets.

Detection logic

`powershell` EventCode=4104 ScriptBlockText = "*Get-Clipboard*" 
| stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID 
| rename Computer as dest 
| rename UserID as user
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `windows_clipboard_data_via_get_clipboard_filter`