AD Groups Or Users Enumeration Using PowerShell - PoshModule

calendar Oct 18, 2023 · attack.discovery attack.t1069.001  ·
Share on: linkedin copy

Adversaries may attempt to find domain-level groups and permission settings. The knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as domain administrators.

Sigma rule (View on GitHub)

 1title: AD Groups Or Users Enumeration Using PowerShell - PoshModule
 2id: 815bfc17-7fc6-4908-a55e-2f37b98cedb4
 3status: test
 4description: |
 5    Adversaries may attempt to find domain-level groups and permission settings.
 6    The knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group.
 7    Adversaries may use this information to determine which users have elevated permissions, such as domain administrators.    
 8references:
 9    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.002/T1069.002.md
10author: frack113
11date: 2021/12/15
12modified: 2023/01/20
13tags:
14    - attack.discovery
15    - attack.t1069.001
16logsource:
17    product: windows
18    category: ps_module
19    definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
20detection:
21    selection_ad_principal:
22        - Payload|contains: 'get-ADPrincipalGroupMembership'
23        - ContextInfo|contains: 'get-ADPrincipalGroupMembership'
24    selection_get_aduser:
25        - Payload|contains|all:
26              - get-aduser
27              - '-f '
28              - '-pr '
29              - DoesNotRequirePreAuth
30        - ContextInfo|contains|all:
31              - get-aduser
32              - '-f '
33              - '-pr '
34              - DoesNotRequirePreAuth
35    condition: 1 of selection_*
36falsepositives:
37    - Administrator script
38level: low

References

Related rules

to-top