AD Groups Or Users Enumeration Using PowerShell - ScriptBlock

calendar Jan 4, 2023 · attack.discovery attack.t1069.001  ·
Share on: linkedin copy

Adversaries may attempt to find domain-level groups and permission settings. The knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as domain administrators.

Sigma rule (View on GitHub)

 1title: AD Groups Or Users Enumeration Using PowerShell - ScriptBlock
 2id: 88f0884b-331d-403d-a3a1-b668cf035603
 3status: test
 4description: |
 5    Adversaries may attempt to find domain-level groups and permission settings.
 6    The knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group.
 7    Adversaries may use this information to determine which users have elevated permissions, such as domain administrators.    
 8references:
 9    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.002/T1069.002.md
10author: frack113
11date: 2021/12/15
12modified: 2022/12/25
13tags:
14    - attack.discovery
15    - attack.t1069.001
16logsource:
17    product: windows
18    category: ps_script
19    definition: 'Requirements: Script Block Logging must be enabled'
20detection:
21    test_2:
22        ScriptBlockText|contains: get-ADPrincipalGroupMembership
23    test_7:
24        ScriptBlockText|contains|all:
25            - get-aduser
26            - '-f '
27            - '-pr '
28            - DoesNotRequirePreAuth
29    condition: 1 of test_*
30falsepositives:
31    - Unknown
32level: low

References

Related rules

to-top