← Library
splApache-2.0from splunk/security_content

Get DomainPolicy with Powershell Script Block

The following analytic detects the execution of the `Get-DomainPolicy` cmdlet using PowerShell Script Block Logging (EventCode=4104). It leverages logs capturing script block text to identify attempts to obtain the password policy in a Windows domain. This activity is significant as it indicates potential reconnaissance efforts by adversaries or Red Teams to gather domain policy information, which is crucial for planning further attacks. If confirmed malicious, this behavior could lead to detailed knowledge of domain security settings, aiding in privilege escalation or lateral movement within the network.

Quality
59
FP risk
Forks
0
Views
0
Rule sourcedetections/endpoint/get_domainpolicy_with_powershell_script_block.yml
`powershell` EventCode=4104 ScriptBlockText ="*Get-DomainPolicy*"
  | fillnull
  | stats count min(_time) as firstTime max(_time) as lastTime
    BY dest signature signature_id
       user_id vendor_product EventID
       Guid Opcode Name
       Path ProcessID ScriptBlockId
       ScriptBlockText
  | `security_content_ctime(firstTime)`
  | `security_content_ctime(lastTime)`
  | `get_domainpolicy_with_powershell_script_block_filter`