Techniques
Sample rules
PowerShell Suspicious Discovery Related Windows API Functions
- source: elastic
- technicques:
- T1007
- T1016
- T1033
- T1039
- T1059
- T1069
- T1082
- T1087
- T1106
- T1135
- T1201
- T1482
Description
Detects PowerShell scripts that references native Windows API functions commonly used for discovery of users, groups, shares, sessions, domain trusts, and service security. Attackers use these APIs for situational awareness and targeting prior to lateral movement or collection.
Detection logic
event.category:process and host.os.type:windows and
powershell.file.script_block_text : (
NetShareEnum or
NetWkstaUserEnum or
NetSessionEnum or
NetLocalGroupEnum or
NetLocalGroupGetMembers or
DsGetSiteName or
DsEnumerateDomainTrusts or
WTSEnumerateSessionsEx or
WTSQuerySessionInformation or
LsaGetLogonSessionData or
QueryServiceObjectSecurity or
GetComputerNameEx or
NetWkstaGetInfo or
GetUserNameEx or
NetUserEnum or
NetUserGetInfo or
NetGroupEnum or
NetGroupGetInfo or
NetGroupGetUsers or
NetWkstaTransportEnum or
NetServerGetInfo or
LsaEnumerateTrustedDomains or
NetScheduleJobEnum or
NetUserModalsGet
) and
not powershell.file.script_block_text : (
("DsGetSiteName" and ("DiscoverWindowsComputerProperties.ps1" and "param($SourceType, $SourceId, $ManagedEntityId, $ComputerIdentity)")) or
("# Copyright: (c) 2018, Ansible Project" and "#Requires -Module Ansible.ModuleUtils.AddType" and "#AnsibleRequires -CSharpUtil Ansible.Basic") or
("Ansible.Windows.Setup" and "Ansible.Windows.Setup" and "NativeMethods.NetWkstaGetInfo(null, 100, out netBuffer);")
) and
not file.directory: "C:\Program Files (x86)\Automox\WDK\Win32\WinSession"