← Library
splApache-2.0from splunk/security_content

GetCurrent User with PowerShell Script Block

The following analytic detects the execution of the `GetCurrent` method from the WindowsIdentity .NET class using PowerShell Script Block Logging (EventCode=4104). This method identifies the current Windows user. The detection leverages PowerShell script block logs to identify when this method is called. This activity is significant because adversaries and Red Teams may use it to gain situational awareness and perform Active Directory discovery on compromised endpoints. If confirmed malicious, this could allow attackers to map out user accounts and potentially escalate privileges or move laterally within the network.

Quality
51
FP risk
Forks
0
Views
0
Rule sourcedetections/endpoint/getcurrent_user_with_powershell_script_block.yml
`powershell` EventCode=4104 ScriptBlockText = "*[System.Security.Principal.WindowsIdentity]*"  ScriptBlockText = "*GetCurrent()*"
  | fillnull
  | stats count min(_time) as firstTime max(_time) as lastTime
    BY dest signature signature_id
       user_id vendor_product EventID
       Guid Opcode Name
       Path ProcessID ScriptBlockId
       ScriptBlockText
  | `security_content_ctime(firstTime)`
  | `security_content_ctime(lastTime)`
  | `getcurrent_user_with_powershell_script_block_filter`