DirectorySearcher Powershell Exploitation
Enumerates Active Directory to determine computers that are joined to the domain
Sigma rule (View on GitHub)
1title: DirectorySearcher Powershell Exploitation
2id: 1f6399cf-2c80-4924-ace1-6fcff3393480
3status: test
4description: Enumerates Active Directory to determine computers that are joined to the domain
5references:
6 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md#atomic-test-15---enumerate-domain-computers-within-active-directory-using-directorysearcher
7author: frack113
8date: 2022/02/12
9tags:
10 - attack.discovery
11 - attack.t1018
12logsource:
13 product: windows
14 category: ps_script
15 definition: 'Requirements: Script Block Logging must be enabled'
16detection:
17 selection:
18 ScriptBlockText|contains|all:
19 - 'New-Object '
20 - 'System.DirectoryServices.DirectorySearcher'
21 - '.PropertiesToLoad.Add'
22 - '.findall()'
23 - 'Properties.name'
24 condition: selection
25falsepositives:
26 - Unknown
27level: medium
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More
Related rules
- Password Policy Discovery With Get-AdDefaultDomainPasswordPolicy
- Powershell Directory Enumeration
- Suspicious Process Discovery With Get-Process
- System Network Connections Discovery - Linux
- Password Policy Discovery