Name:GetWmiObject Ds Computer with PowerShell Script Block id:29b99201-723c-4118-847a-db2b3d3fb8ea version:4 date:2024-09-30 author:Mauricio Velazco, Splunk status:production type:TTP Description:The following analytic detects the execution of the `Get-WmiObject` cmdlet with the `DS_Computer` class parameter via PowerShell Script Block Logging (EventCode=4104). This detection leverages script block text to identify queries targeting domain computers using WMI. Monitoring this activity is crucial as adversaries and Red Teams may use it for Active Directory Discovery and situational awareness. If confirmed malicious, this behavior could allow attackers to map out domain computers, facilitating further attacks such as lateral movement or privilege escalation. Data_source:
-Powershell Script Block Logging 4104
search:`powershell` EventCode=4104 (ScriptBlockText=*Get-WmiObject* AND ScriptBlockText="*namespace root\\directory\\ldap*" AND ScriptBlockText="*class ds_computer*") | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `getwmiobject_ds_computer_with_powershell_script_block_filter`
how_to_implement:To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell. known_false_positives:Administrators or power users may use this PowerShell commandlet for troubleshooting. References: -https://attack.mitre.org/techniques/T1018/ -https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1 drilldown_searches: name:'View the detection results for - "$Computer$"' search:'%original_detection_search% | search Computer = "$Computer$"' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' name:'View risk events for the last 7 days for - "$Computer$"' search:'| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' tags: analytic_story: - 'Active Directory Discovery' asset_type:Endpoint confidence:50 impact:30 message:Remote system discovery enumeration on $Computer$ by $UserID$ mitre_attack_id: - 'T1018' observable: name:'Computer' type:'Endpoint' - role: - 'Victim' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' required_fields: - '_time' - 'ScriptBlockText' - 'Opcode' - 'Computer' - 'UserID' - 'EventCode' risk_score:15 security_domain:endpoint
