splApache-2.0from splunk/security_content

Windows Forest Discovery with GetForestDomain

The following analytic detects the execution of the `Get-ForestDomain` cmdlet, a component of the PowerView toolkit used for Windows domain enumeration. It leverages PowerShell Script Block Logging (EventCode=4104) to identify this activity. Detecting `Get-ForestDomain` is significant because adversaries and Red Teams use it to gather detailed information about Active Directory forest and domain configurations. If confirmed malicious, this activity could enable attackers to understand the domain structure, facilitating lateral movement or privilege escalation within the environment.

Quality

FP risk

—

Forks

Views

Rule sourcedetections/endpoint/windows_forest_discovery_with_getforestdomain.yml

`powershell` EventCode=4104 ScriptBlockText = "*Get-ForestDomain*"
  | fillnull
  | stats count min(_time) as firstTime max(_time) as lastTime
    BY dest signature signature_id
       user_id vendor_product EventID
       Guid Opcode Name
       Path ProcessID ScriptBlockId
       ScriptBlockText
  | `security_content_ctime(firstTime)`
  | `security_content_ctime(lastTime)`
  | `windows_forest_discovery_with_getforestdomain_filter`