Get-DomainTrust with PowerShell Script Block

Name:Get-DomainTrust with PowerShell Script Block
id:89275e7e-0548-11ec-bf75-acde48001122
version:6
date:2024-11-13
author:Michael Haag, Splunk
status:production
type:TTP
Description:The following analytic detects the execution of the Get-DomainTrust command from PowerView using PowerShell Script Block Logging (EventCode=4104). This method captures the full command sent to PowerShell, allowing for detailed inspection. Identifying this activity is significant because it may indicate an attempt to gather domain trust information, which is often a precursor to lateral movement or privilege escalation. If confirmed malicious, this activity could enable an attacker to map trust relationships within the domain, potentially leading to further exploitation and compromise of additional systems.
Data_source:

• -Powershell Script Block Logging 4104

search:`powershell` EventCode=4104 ScriptBlockText = "*get-domaintrust*"
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by dest signature signature_id user_id vendor_product EventID Guid Opcode Name Path ProcessID ScriptBlockId ScriptBlockText
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `get_domaintrust_with_powershell_script_block_filter`

how_to_implement:To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.
known_false_positives:It is possible certain system management frameworks utilize this command to gather trust information.
References:
  -https://blog.harmj0y.net/redteaming/a-guide-to-attacking-domain-trusts/
  -https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.
  -https://blog.palantir.com/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63
  -https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/59c1814829f18782e24f1fe2/1505853768977/Windows+PowerShell+Logging+Cheat+Sheet+ver+Sept+2017+v2.1.pdf
  -https://www.crowdstrike.com/blog/investigating-powershell-command-and-script-logging/
drilldown_searches:
 name:'View the detection results for - "$user_id$" and "$dest$"'
 search:'%original_detection_search% | search user_id = "$user_id$" dest = "$dest$"'
 earliest_offset:'$info_min_time$'
 latest_offset:'$info_max_time$'
 name:'View risk events for the last 7 days for - "$user_id$" and "$dest$"'
 search:'| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user_id$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
 earliest_offset:'$info_min_time$'
 latest_offset:'$info_max_time$'
tags:
  analytic_story:
    - 'Active Directory Discovery'
  asset_type:Endpoint
  mitre_attack_id:
    - 'T1482'
  product:
    - 'Splunk Enterprise'
    - 'Splunk Enterprise Security'
    - 'Splunk Cloud'
  security_domain:endpoint

tests:
 name:'True Positive Test'
 attack_data:
  data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/domaintrust.log
  source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
  sourcetype: XmlWinEventLog
manual_test:None