← Library
splApache-2.0from splunk/security_content

Get ADUserResultantPasswordPolicy with Powershell Script Block

The following analytic detects the execution of the `Get-ADUserResultantPasswordPolicy` PowerShell cmdlet, which is used to obtain the password policy in a Windows domain. It leverages PowerShell Script Block Logging (EventCode=4104) to identify this activity. Monitoring this behavior is significant as it may indicate an attempt to enumerate domain policies, a common tactic used by adversaries for situational awareness and Active Directory discovery. If confirmed malicious, this activity could allow attackers to understand password policies, aiding in further attacks such as password guessing or policy exploitation.

Quality
59
FP risk
Forks
0
Views
0
Rule sourcedetections/endpoint/get_aduserresultantpasswordpolicy_with_powershell_script_block.yml
`powershell` EventCode=4104 ScriptBlockText="*Get-ADUserResultantPasswordPolicy*"
  | fillnull
  | stats count min(_time) as firstTime max(_time) as lastTime
    BY dest signature signature_id
       user_id vendor_product EventID
       Guid Opcode Name
       Path ProcessID ScriptBlockId
       ScriptBlockText
  | `security_content_ctime(firstTime)`
  | `security_content_ctime(lastTime)`
  | `get_aduserresultantpasswordpolicy_with_powershell_script_block_filter`