GetCurrent User with PowerShell Script Block

Original Source: [splunk source]
Name:GetCurrent User with PowerShell Script Block
id:80879283-c30f-44f7-8471-d1381f6d437a
version:6
date:2024-11-13
author:Mauricio Velazco, Splunk
status:production
type:Hunting
Description:The following analytic detects the execution of the `GetCurrent` method from the WindowsIdentity .NET class using PowerShell Script Block Logging (EventCode=4104). This method identifies the current Windows user. The detection leverages PowerShell script block logs to identify when this method is called. This activity is significant because adversaries and Red Teams may use it to gain situational awareness and perform Active Directory discovery on compromised endpoints. If confirmed malicious, this could allow attackers to map out user accounts and potentially escalate privileges or move laterally within the network.
Data_source:
  • -Powershell Script Block Logging 4104
search:`powershell` EventCode=4104 ScriptBlockText = "*[System.Security.Principal.WindowsIdentity]*" ScriptBlockText = "*GetCurrent()*"
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime by dest signature signature_id user_id vendor_product EventID Guid Opcode Name Path ProcessID ScriptBlockId ScriptBlockText
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `getcurrent_user_with_powershell_script_block_filter`

how_to_implement:To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.
known_false_positives:Administrators or power users may use this PowerShell commandlet for troubleshooting.
References:
  -https://attack.mitre.org/techniques/T1033/
   -https://docs.microsoft.com/en-us/dotnet/api/system.security.principal.windowsidentity.getcurrent?view=net-6.0&viewFallbackFrom=net-5.0
 drilldown_searches:
  :
tags:
  analytic_story:
    - 'Active Directory Discovery'
  asset_type:Endpoint
  mitre_attack_id:
    - 'T1033'
  product:
    - 'Splunk Enterprise'
    - 'Splunk Enterprise Security'
    - 'Splunk Cloud'
  security_domain:endpoint

tests:
name:'True Positive Test'
 attack_data:
  data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1033/AD_discovery/windows-powershell-xml.log
  source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
  sourcetype: XmlWinEventLog
manual_test:None

Related Analytic Stories


Active Directory Discovery

© 2024 DetectionCode Website. All Rights Reserved.