Powershell Get LocalGroup Discovery with Script Block Logging

Name:Powershell Get LocalGroup Discovery with Script Block Logging
id:d7c6ad22-155c-11ec-bb64-acde48001122
version:4
date:2024-10-17
author:Michael Haag, Splunk
status:production
type:Hunting
Description:The following analytic detects the execution of the PowerShell cmdlet `get-localgroup` using PowerShell Script Block Logging (EventCode=4104). This method captures the full command sent to PowerShell, providing detailed visibility into script execution. Monitoring this activity is significant as it can indicate an attempt to enumerate local groups, which may be a precursor to privilege escalation or lateral movement. If confirmed malicious, an attacker could gain insights into group memberships, potentially leading to unauthorized access or privilege abuse. Review parallel processes and the entire script block for comprehensive analysis.
Data_source:

• -Powershell Script Block Logging 4104

search:`powershell` EventCode=4104 ScriptBlockText = "*get-localgroup*"
| stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText
| rename Computer as dest, UserID as user
| `security_content_ctime(firstTime)` |`security_content_ctime(lastTime)`
| `powershell_get_localgroup_discovery_with_script_block_logging_filter`

how_to_implement:To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.
known_false_positives:False positives may be present. Tune as needed.
References:
  -https://www.splunk.com/en_us/blog/security/powershell-detections-threat-research-release-august-2021.html
  -https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md
  -https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell
  -https://blog.palantir.com/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63
  -https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/59c1814829f18782e24f1fe2/1505853768977/Windows+PowerShell+Logging+Cheat+Sheet+ver+Sept+2017+v2.1.pdf
  -https://www.crowdstrike.com/blog/investigating-powershell-command-and-script-logging/
drilldown_searches:
  :
tags:
  analytic_story:
    - 'Active Directory Discovery'
  asset_type:Endpoint
  confidence:50
  impact:30
  message:Local group discovery on endpoint $dest$ by user $user$.
  mitre_attack_id:
    - 'T1069'
    - 'T1069.001'
  observable:
    name:'dest'
    type:'Endpoint'
    - role:
      - 'Victim'
    name:'user'
    type:'User'
    - role:
      - 'Victim'
  product:
    - 'Splunk Enterprise'
    - 'Splunk Enterprise Security'
    - 'Splunk Cloud'
  required_fields:
    - '_time'
    - 'ScriptBlockText'
    - 'Opcode'
    - 'Computer'
    - 'UserID'
    - 'EventCode'
  risk_score:15
  security_domain:endpoint

tests:
 name:'True Positive Test'
 attack_data:
  data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/getlocalgroup.log
  source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
  sourcetype: XmlWinEventLog
manual_test:None