GetLocalUser with PowerShell Script Block

Name:GetLocalUser with PowerShell Script Block
id:2e891cbe-0426-11ec-9c9c-acde48001122
version:4
date:2024-10-17
author:Mauricio Velazco, Splunk
status:production
type:Hunting
Description:The following analytic detects the execution of the `Get-LocalUser` PowerShell commandlet using PowerShell Script Block Logging (EventCode=4104). This commandlet lists all local users on a system. The detection leverages script block text from PowerShell logs to identify this activity. Monitoring this behavior is significant as adversaries and Red Teams may use it to enumerate local users for situational awareness and Active Directory discovery. If confirmed malicious, this activity could lead to further reconnaissance, enabling attackers to identify potential targets for privilege escalation or lateral movement.
Data_source:

• -Powershell Script Block Logging 4104

search:`powershell` EventCode=4104 (ScriptBlockText = "*Get-LocalUser*")
| stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer user_id
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `getlocaluser_with_powershell_script_block_filter`

how_to_implement:To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.
known_false_positives:Administrators or power users may use this PowerShell commandlet for troubleshooting.
References:
  -https://attack.mitre.org/techniques/T1087/001/
  -https://www.splunk.com/en_us/blog/security/hunting-for-malicious-powershell-using-script-block-logging.html
drilldown_searches:
  :
tags:
  analytic_story:
    - 'Active Directory Discovery'
    - 'Malicious PowerShell'
  asset_type:Endpoint
  confidence:50
  impact:30
  message:Local user discovery enumeration using PowerShell on $Computer$ by $user$
  mitre_attack_id:
    - 'T1087'
    - 'T1087.001'
    - 'T1059.001'
  observable:
    name:'Computer'
    type:'Endpoint'
    - role:
      - 'Victim'
  product:
    - 'Splunk Enterprise'
    - 'Splunk Enterprise Security'
    - 'Splunk Cloud'
  required_fields:
    - '_time'
    - 'EventCode'
    - 'ScriptBlockText'
    - 'Computer'
    - 'UserID'
  risk_score:15
  security_domain:endpoint

tests:
 name:'True Positive Test'
 attack_data:
  data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.001/AD_discovery/windows-powershell-xml.log
  source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
  sourcetype: XmlWinEventLog
manual_test:None