splApache-2.0from splunk/security_content
Get-DomainTrust with PowerShell Script Block
The following analytic detects the execution of the Get-DomainTrust command from PowerView using PowerShell Script Block Logging (EventCode=4104). This method captures the full command sent to PowerShell, allowing for detailed inspection. Identifying this activity is significant because it may indicate an attempt to gather domain trust information, which is often a precursor to lateral movement or privilege escalation. If confirmed malicious, this activity could enable an attacker to map trust relationships within the domain, potentially leading to further exploitation and compromise of additional systems.
Quality
59
FP risk
—
Forks
0
Views
0
Rule sourcedetections/endpoint/get_domaintrust_with_powershell_script_block.yml
`powershell` EventCode=4104 ScriptBlockText = "*get-domaintrust*"
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime
BY dest signature signature_id
user_id vendor_product EventID
Guid Opcode Name
Path ProcessID ScriptBlockId
ScriptBlockText
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `get_domaintrust_with_powershell_script_block_filter`