Elevated Group Discovery with PowerView

Name:Elevated Group Discovery with PowerView
id:10d62950-0de5-4199-a710-cff9ea79b413
version:4
date:2024-10-17
author:Mauricio Velazco, Splunk
status:production
type:Hunting
Description:The following analytic detects the execution of the `Get-DomainGroupMember` cmdlet from PowerView, identified through PowerShell Script Block Logging (EventCode=4104). This cmdlet is used to enumerate members of elevated domain groups such as Domain Admins and Enterprise Admins. Monitoring this activity is crucial as it indicates potential reconnaissance efforts by adversaries to identify high-privileged users within the domain. If confirmed malicious, this activity could lead to targeted attacks on privileged accounts, facilitating further compromise and lateral movement within the network.
Data_source:

• -Powershell Script Block Logging 4104

search:`powershell` EventCode=4104 (ScriptBlockText = "*Get-DomainGroupMember*") AND ScriptBlockText IN ("*Domain Admins*","*Enterprise Admins*", "*Schema Admins*", "*Account Operators*" , "*Server Operators*", "*Protected Users*", "*Dns Admins*")
| stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID
| rename Computer as dest, UserID as user
| `security_content_ctime(firstTime)`
| `elevated_group_discovery_with_powerview_filter`

how_to_implement:To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.
known_false_positives:Administrators or power users may use this PowerView for troubleshooting.
References:
  -https://attack.mitre.org/techniques/T1069/002/
  -https://powersploit.readthedocs.io/en/latest/Recon/Get-DomainGroupMember/
  -https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-b--privileged-accounts-and-groups-in-active-directory
  -https://attack.mitre.org/techniques/T1069/002/
drilldown_searches:
  :
tags:
  analytic_story:
    - 'Active Directory Discovery'
  asset_type:Endpoint
  confidence:70
  impact:30
  message:Elevated group discovery using PowerView on $dest$ by $user$
  mitre_attack_id:
    - 'T1069'
    - 'T1069.002'
  observable:
    name:'dest'
    type:'Endpoint'
    - role:
      - 'Victim'
  product:
    - 'Splunk Enterprise'
    - 'Splunk Enterprise Security'
    - 'Splunk Cloud'
  required_fields:
    - '_time'
    - 'EventCode'
    - 'ScriptBlockText'
    - 'Computer'
    - 'UserID'
  risk_score:21
  security_domain:endpoint

tests:
 name:'True Positive Test'
 attack_data:
  data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.002/AD_discovery/windows-powershell-xml-powerview.log
  source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
  sourcetype: XmlWinEventLog
  data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.002/AD_discovery/windows-xml.log
  source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
  sourcetype: XmlWinEventLog
manual_test:None