GetWmiObject User Account with PowerShell Script Block

Name:GetWmiObject User Account with PowerShell Script Block
id:640b0eda-0429-11ec-accd-acde48001122
version:4
date:2024-10-17
author:Mauricio Velazco, Splunk
status:production
type:Hunting
Description:The following analytic detects the execution of the `Get-WmiObject` commandlet with the `Win32_UserAccount` parameter via PowerShell Script Block Logging (EventCode=4104). This method leverages script block text to identify when a list of all local users is being enumerated. This activity is significant as it may indicate an adversary or Red Team operation attempting to gather user information for situational awareness and Active Directory discovery. If confirmed malicious, this could lead to further reconnaissance, privilege escalation, or lateral movement within the network.
Data_source:

• -Powershell Script Block Logging 4104

search:`powershell` EventCode=4104 (ScriptBlockText="*Get-WmiObject*" AND ScriptBlockText="*Win32_UserAccount*")
| stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID
| `security_content_ctime(firstTime)`
| `getwmiobject_user_account_with_powershell_script_block_filter`

how_to_implement:To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.
known_false_positives:Administrators or power users may use this PowerShell commandlet for troubleshooting.
References:
  -https://attack.mitre.org/techniques/T1087/001/
  -https://www.splunk.com/en_us/blog/security/hunting-for-malicious-powershell-using-script-block-logging.html
drilldown_searches:
  :
tags:
  analytic_story:
    - 'Winter Vivern'
    - 'Active Directory Discovery'
    - 'Malicious PowerShell'
  asset_type:Endpoint
  confidence:50
  impact:30
  message:Local user discovery enumeration using PowerShell on $Computer$ by $UserID$
  mitre_attack_id:
    - 'T1087'
    - 'T1087.001'
    - 'T1059.001'
  observable:
    name:'Computer'
    type:'Endpoint'
    - role:
      - 'Victim'
  product:
    - 'Splunk Enterprise'
    - 'Splunk Enterprise Security'
    - 'Splunk Cloud'
  required_fields:
    - '_time'
    - 'EventCode'
    - 'ScriptBlockText'
    - 'Computer'
    - 'UserID'
  risk_score:15
  security_domain:endpoint

tests:
 name:'True Positive Test'
 attack_data:
  data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/sbl_xml.log
  source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
  sourcetype: XmlWinEventLog
manual_test:None