splApache-2.0from splunk/security_content
Domain Group Discovery with Adsisearcher
The following analytic detects the use of the `[Adsisearcher]` type accelerator in PowerShell to query Active Directory for domain groups. It leverages PowerShell Script Block Logging (EventCode=4104) to identify specific script blocks containing `[adsisearcher]` and group-related queries. This activity is significant as it may indicate an attempt by adversaries or Red Teams to enumerate domain groups for situational awareness and Active Directory discovery. If confirmed malicious, this behavior could lead to further reconnaissance, privilege escalation, or lateral movement within the network.
Quality
43
FP risk
—
Forks
0
Views
0
Rule sourcedetections/endpoint/domain_group_discovery_with_adsisearcher.yml
`powershell` (ScriptBlockText = "*[adsisearcher]*" AND ScriptBlockText = "*(objectcategory=group)*" AND ScriptBlockText = "*findAll()*")
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime
BY dest signature signature_id
user_id vendor_product EventID
Guid Opcode Name
Path ProcessID ScriptBlockId
ScriptBlockText
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `domain_group_discovery_with_adsisearcher_filter`