← Library
splApache-2.0from splunk/security_content

GetAdGroup with PowerShell Script Block

The following analytic detects the execution of the `Get-AdGroup` PowerShell cmdlet using PowerShell Script Block Logging (EventCode=4104). This cmdlet is used to enumerate all domain groups, which adversaries may exploit for situational awareness and Active Directory discovery. Monitoring this activity is crucial as it can indicate reconnaissance efforts within the network. If confirmed malicious, this behavior could lead to further exploitation, such as privilege escalation or lateral movement, by providing attackers with detailed information about the domain's group structure.

Quality
59
FP risk
Forks
0
Views
0
Rule sourcedetections/endpoint/getadgroup_with_powershell_script_block.yml
`powershell` EventCode=4104 ScriptBlockText = "*Get-ADGroup*"
  | fillnull
  | stats count min(_time) as firstTime max(_time) as lastTime
    BY dest signature signature_id
       user_id vendor_product EventID
       Guid Opcode Name
       Path ProcessID ScriptBlockId
       ScriptBlockText
  | `security_content_ctime(firstTime)`
  | `security_content_ctime(lastTime)`
  | `getadgroup_with_powershell_script_block_filter`