← Library
splApache-2.0from splunk/security_content

GetAdComputer with PowerShell Script Block

The following analytic detects the execution of the `Get-AdComputer` PowerShell commandlet using PowerShell Script Block Logging (EventCode=4104). This detection leverages script block text to identify when this commandlet is run. The `Get-AdComputer` commandlet is significant as it can be used by adversaries to enumerate all domain computers, aiding in situational awareness and Active Directory discovery. If confirmed malicious, this activity could allow attackers to map the network, identify targets, and plan further attacks, potentially leading to unauthorized access and data exfiltration.

Quality
59
FP risk
Forks
0
Views
0
Rule sourcedetections/endpoint/getadcomputer_with_powershell_script_block.yml
`powershell` EventCode=4104 (ScriptBlockText = "*Get-AdComputer*")
  | fillnull
  | stats count min(_time) as firstTime max(_time) as lastTime
    BY dest signature signature_id
       user_id vendor_product EventID
       Guid Opcode Name
       Path ProcessID ScriptBlockId
       ScriptBlockText
  | `security_content_ctime(firstTime)`
  | `getadcomputer_with_powershell_script_block_filter`