GetAdGroup with PowerShell Script Block

Name:GetAdGroup with PowerShell Script Block
id:e4c73d68-794b-468d-b4d0-dac1772bbae7
version:4
date:2024-10-17
author:Mauricio Velazco, Splunk
status:production
type:Hunting
Description:The following analytic detects the execution of the `Get-AdGroup` PowerShell cmdlet using PowerShell Script Block Logging (EventCode=4104). This cmdlet is used to enumerate all domain groups, which adversaries may exploit for situational awareness and Active Directory discovery. Monitoring this activity is crucial as it can indicate reconnaissance efforts within the network. If confirmed malicious, this behavior could lead to further exploitation, such as privilege escalation or lateral movement, by providing attackers with detailed information about the domain's group structure.
Data_source:

• -Powershell Script Block Logging 4104

search:`powershell` EventCode=4104 ScriptBlockText = "*Get-ADGroup*"
| stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID
| rename Computer as dest, UserID as user
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `getadgroup_with_powershell_script_block_filter`

how_to_implement:To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.
known_false_positives:Administrators or power users may use this PowerShell commandlet for troubleshooting.
References:
  -https://attack.mitre.org/techniques/T1069/002/
  -https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-adgroup?view=windowsserver2019-ps
drilldown_searches:
  :
tags:
  analytic_story:
    - 'Active Directory Discovery'
  asset_type:Endpoint
  confidence:50
  impact:30
  message:Domain group discovery enumeration using PowerShell on $dest$ by $user$
  mitre_attack_id:
    - 'T1069'
    - 'T1069.002'
  observable:
    name:'dest'
    type:'Endpoint'
    - role:
      - 'Victim'
  product:
    - 'Splunk Enterprise'
    - 'Splunk Enterprise Security'
    - 'Splunk Cloud'
  required_fields:
    - '_time'
    - 'EventCode'
    - 'Message'
    - 'Computer'
    - 'UserID'
  risk_score:15
  security_domain:endpoint

tests:
 name:'True Positive Test'
 attack_data:
  data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1069.002/AD_discovery/windows-powershell-xml.log
  source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
  sourcetype: XmlWinEventLog
manual_test:None