splApache-2.0from splunk/security_content
Get-ForestTrust with PowerShell Script Block
The following analytic detects the execution of the Get-ForestTrust command from PowerSploit using PowerShell Script Block Logging (EventCode=4104). This method captures the full command sent to PowerShell, providing detailed visibility into potentially suspicious activities. Monitoring this behavior is crucial as it can indicate an attempt to gather domain trust information, which is often a precursor to lateral movement or privilege escalation. If confirmed malicious, this activity could allow an attacker to map trust relationships within the domain, facilitating further exploitation and access to sensitive resources.
Quality
59
FP risk
—
Forks
0
Views
0
Rule sourcedetections/endpoint/get_foresttrust_with_powershell_script_block.yml
`powershell` EventCode=4104 ScriptBlockText = "*get-foresttrust*"
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime
BY dest signature signature_id
user_id vendor_product EventID
Guid Opcode Name
Path ProcessID ScriptBlockId
ScriptBlockText
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `get_foresttrust_with_powershell_script_block_filter`