PowerShell ADRecon Execution
Detects execution of ADRecon.ps1 for AD reconnaissance which has been reported to be actively used by FIN7
Sigma rule (View on GitHub)
1title: PowerShell ADRecon Execution
2id: bf72941a-cba0-41ea-b18c-9aca3925690d
3status: test
4description: Detects execution of ADRecon.ps1 for AD reconnaissance which has been reported to be actively used by FIN7
5references:
6 - https://github.com/sense-of-security/ADRecon/blob/11881a24e9c8b207f31b56846809ce1fb189bcc9/ADRecon.ps1
7 - https://bi-zone.medium.com/from-pentest-to-apt-attack-cybercriminal-group-fin7-disguises-its-malware-as-an-ethical-hackers-c23c9a75e319
8author: Bhabesh Raj
9date: 2021-07-16
10modified: 2022-09-06
11tags:
12 - attack.discovery
13 - attack.execution
14 - attack.t1059.001
15logsource:
16 product: windows
17 category: ps_script
18 definition: 'Requirements: Script Block Logging must be enabled'
19detection:
20 selection:
21 ScriptBlockText|contains:
22 - 'Function Get-ADRExcelComOb'
23 - 'Get-ADRGPO'
24 - 'Get-ADRDomainController'
25 - 'ADRecon-Report.xlsx' # Default
26 condition: selection
27falsepositives:
28 - Unknown
29level: high
References
Related rules
- BloodHound Collection Files
- HackTool - Bloodhound/Sharphound Execution
- HackTool - CrackMapExec Execution
- Malicious PowerShell Commandlets - PoshModule
- Malicious PowerShell Commandlets - ScriptBlock