← Library
splApache-2.0from splunk/security_content

GetLocalUser with PowerShell Script Block

The following analytic detects the execution of the `Get-LocalUser` PowerShell commandlet using PowerShell Script Block Logging (EventCode=4104). This commandlet lists all local users on a system. The detection leverages script block text from PowerShell logs to identify this activity. Monitoring this behavior is significant as adversaries and Red Teams may use it to enumerate local users for situational awareness and Active Directory discovery. If confirmed malicious, this activity could lead to further reconnaissance, enabling attackers to identify potential targets for privilege escalation or lateral movement.

Quality
59
FP risk
Forks
0
Views
0
Rule sourcedetections/endpoint/getlocaluser_with_powershell_script_block.yml
`powershell` EventCode=4104 (ScriptBlockText = "*Get-LocalUser*")
  | fillnull
  | stats count min(_time) as firstTime max(_time) as lastTime
    BY dest signature signature_id
       user_id vendor_product EventID
       Guid Opcode Name
       Path ProcessID ScriptBlockId
       ScriptBlockText
  | `security_content_ctime(firstTime)`
  | `security_content_ctime(lastTime)`
  | `getlocaluser_with_powershell_script_block_filter`