splApache-2.0from splunk/security_content

Windows Account Discovery With NetUser PreauthNotRequire

The following analytic detects the execution of the PowerView PowerShell cmdlet Get-NetUser with the -PreauthNotRequire parameter, leveraging Event ID 4104. This method identifies attempts to query Active Directory user accounts that do not require Kerberos preauthentication. Monitoring this activity is crucial as it can indicate reconnaissance efforts by an attacker to identify potentially vulnerable accounts. If confirmed malicious, this behavior could lead to further exploitation, such as unauthorized access or privilege escalation within the network.

Quality

FP risk

—

Forks

Views

Rule sourcedetections/endpoint/windows_account_discovery_with_netuser_preauthnotrequire.yml

`powershell` EventCode=4104  ScriptBlockText = "*Get-NetUser*" ScriptBlockText = "*-PreauthNotRequire*"
  | fillnull
  | stats count min(_time) as firstTime max(_time) as lastTime
    BY dest signature signature_id
       user_id vendor_product EventID
       Guid Opcode Name
       Path ProcessID ScriptBlockId
       ScriptBlockText
  | `security_content_ctime(firstTime)`
  | `security_content_ctime(lastTime)`
  | `windows_account_discovery_with_netuser_preauthnotrequire_filter`