← Library
splApache-2.0from splunk/security_content

GetWmiObject User Account with PowerShell Script Block

The following analytic detects the execution of the `Get-WmiObject` commandlet with the `Win32_UserAccount` parameter via PowerShell Script Block Logging (EventCode=4104). This method leverages script block text to identify when a list of all local users is being enumerated. This activity is significant as it may indicate an adversary or Red Team operation attempting to gather user information for situational awareness and Active Directory discovery. If confirmed malicious, this could lead to further reconnaissance, privilege escalation, or lateral movement within the network.

Quality
51
FP risk
Forks
0
Views
0
Rule sourcedetections/endpoint/getwmiobject_user_account_with_powershell_script_block.yml
`powershell` EventCode=4104 (ScriptBlockText="*Get-WmiObject*" AND ScriptBlockText="*Win32_UserAccount*")
  | fillnull
  | stats count min(_time) as firstTime max(_time) as lastTime
    BY dest signature signature_id
       user_id vendor_product EventID
       Guid Opcode Name
       Path ProcessID ScriptBlockId
       ScriptBlockText
  | `security_content_ctime(firstTime)`
  | `security_content_ctime(lastTime)`
  | `getwmiobject_user_account_with_powershell_script_block_filter`