Windows Account Discovery With NetUser PreauthNotRequire

Name:Windows Account Discovery With NetUser PreauthNotRequire
id:cf056b65-44b2-4d32-9172-d6b6f081a376
version:3
date:2024-10-17
author:Teoderick Contreras, Splunk
status:production
type:Hunting
Description:The following analytic detects the execution of the PowerView PowerShell cmdlet Get-NetUser with the -PreauthNotRequire parameter, leveraging Event ID 4104. This method identifies attempts to query Active Directory user accounts that do not require Kerberos preauthentication. Monitoring this activity is crucial as it can indicate reconnaissance efforts by an attacker to identify potentially vulnerable accounts. If confirmed malicious, this behavior could lead to further exploitation, such as unauthorized access or privilege escalation within the network.
Data_source:

• -Powershell Script Block Logging 4104

search:`powershell` EventCode=4104 ScriptBlockText = "*Get-NetUser*" ScriptBlockText = "*-PreauthNotRequire*"
| rename Computer as dest, UserID as user
| stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText dest user
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_account_discovery_with_netuser_preauthnotrequire_filter`

how_to_implement:To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.=
known_false_positives:Administrators may leverage PowerView for legitimate purposes, filter as needed.
References:
  -https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a
drilldown_searches:
  :
tags:
  analytic_story:
    - 'CISA AA23-347A'
  asset_type:Endpoint
  confidence:50
  impact:30
  message:A user dicovery using powerview commandlet Get-NetUser with PreauthNotRequire parameter on $dest$.
  mitre_attack_id:
    - 'T1087'
  observable:
    name:'dest'
    type:'Hostname'
    - role:
      - 'Victim'
  product:
    - 'Splunk Enterprise'
    - 'Splunk Enterprise Security'
    - 'Splunk Cloud'
  risk_score:15
  required_fields:
    - '_time'
    - 'ScriptBlockText'
    - 'dest'
    - 'EventCode'
    - 'user'
  security_domain:endpoint

tests:
 name:'True Positive Test'
 attack_data:
  data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087/powerview_get_netuser_preauthnotrequire/get-netuser-not-require-pwh.log
  source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
  sourcetype: XmlWinEventLog
manual_test:None