← Library
splApache-2.0from splunk/security_content

GetDomainController with PowerShell Script Block

The following analytic detects the execution of the `Get-DomainController` commandlet using PowerShell Script Block Logging (EventCode=4104). This commandlet is part of PowerView, a tool often used for domain enumeration. The detection leverages script block text to identify this specific activity. Monitoring this behavior is crucial as it may indicate an adversary or Red Team performing reconnaissance to map out domain controllers. If confirmed malicious, this activity could lead to further domain enumeration, potentially exposing sensitive information and aiding in lateral movement within the network.

Quality
59
FP risk
Forks
0
Views
0
Rule sourcedetections/endpoint/getdomaincontroller_with_powershell_script_block.yml
`powershell` EventCode=4104 (ScriptBlockText = "*Get-DomainController*")
  | fillnull
  | stats count min(_time) as firstTime max(_time) as lastTime
    BY dest signature signature_id
       user_id vendor_product EventID
       Guid Opcode Name
       Path ProcessID ScriptBlockId
       ScriptBlockText
  | `security_content_ctime(firstTime)`
  | `getdomaincontroller_with_powershell_script_block_filter`