Suspicious Get-ADReplAccount

calendar Jan 27, 2023 · attack.credential_access attack.t1003.006  ·
Share on: linkedin copy

The DSInternals PowerShell Module exposes several internal features of Active Directory and Azure Active Directory. These include FIDO2 and NGC key auditing, offline ntds.dit file manipulation, password auditing, DC recovery from IFM backups and password hash calculation.

Sigma rule (View on GitHub)

 1title: Suspicious Get-ADReplAccount
 2id: 060c3ef1-fd0a-4091-bf46-e7d625f60b73
 3status: test
 4description: |
 5    The DSInternals PowerShell Module exposes several internal features of Active Directory and Azure Active Directory.
 6    These include FIDO2 and NGC key auditing, offline ntds.dit file manipulation, password auditing, DC recovery from IFM backups and password hash calculation.    
 7references:
 8    - https://www.powershellgallery.com/packages/DSInternals
 9    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.006/T1003.006.md#atomic-test-2---run-dsinternals-get-adreplaccount
10author: frack113
11date: 2022/02/06
12tags:
13    - attack.credential_access
14    - attack.t1003.006
15logsource:
16    product: windows
17    category: ps_script
18    definition: 'Requirements: Script Block Logging must be enabled'
19detection:
20    selection:
21        ScriptBlockText|contains|all:
22            - Get-ADReplAccount
23            - '-All '
24            - '-Server '
25    condition: selection
26falsepositives:
27    - Legitimate PowerShell scripts
28level: medium

References

  • DSInternals 4.14

    The DSInternals PowerShell Module exposes several internal features of Active Directory and Azure Active Directory. These include FIDO2 and NGC key auditing, offline ntds.dit file manipulation, password auditing, DC recovery from IFM backups and password hash calculation. DISCLAIMER: Features exposed through this module are not supported by Microsoft and it is therefore not intended to be used in production environments. Improper use might cause irreversible damage to domain controllers or negatively impact domain security.


    Read More

  • atomic-red-team/atomics/T1003.006/T1003.006.md at f339e7da7d05f6057fdfcdd3742bfcf365fee2a9 · redcanaryco/atomic-red-team

    Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team


    Read More

Related rules

to-top