Name:Windows PowerView AD Access Control List Enumeration id:39405650-c364-4e1e-a740-32a63ef042a6 version:4 date:2024-09-30 author:Mauricio Velazco, Splunk status:production type:TTP Description:The following analytic detects the execution of PowerView PowerShell cmdlets `Get-ObjectAcl` or `Get-DomainObjectAcl`, which are used to enumerate Access Control List (ACL) permissions for Active Directory objects. It leverages Event ID 4104 from PowerShell Script Block Logging to identify this activity. This behavior is significant as it may indicate an attempt to discover weak permissions in Active Directory, potentially leading to privilege escalation. If confirmed malicious, attackers could exploit these permissions to gain unauthorized access or escalate their privileges within the network. Data_source:
-Powershell Script Block Logging 4104
search:`powershell` EventCode=4104 (ScriptBlockText=*get-objectacl* OR ScriptBlockText=*Get-DomainObjectAcl* ) | stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_powerview_ad_access_control_list_enumeration_filter`
how_to_implement:To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.= known_false_positives:Administrators may leverage PowerView for legitimate purposes, filter as needed. References: -https://attack.mitre.org/techniques/T1078/002/ -https://medium.com/r3d-buck3t/enumerating-access-controls-in-active-directory-c06e2efa8b89 -https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/abusing-active-directory-acls-aces -https://powersploit.readthedocs.io/en/latest/Recon/Get-DomainObjectAcl/ drilldown_searches: name:'View the detection results for - "$Computer$"' search:'%original_detection_search% | search Computer = "$Computer$"' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' name:'View risk events for the last 7 days for - "$Computer$"' search:'| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$Computer$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' tags: analytic_story: - 'Active Directory Discovery' - 'Active Directory Privilege Escalation' - 'Rhysida Ransomware' asset_type:Endpoint confidence:50 impact:40 message:PowerView AD acccess control list enumeration detected on $Computer$ mitre_attack_id: - 'T1078.002' - 'T1069' observable: name:'Computer' type:'Hostname' - role: - 'Victim' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' required_fields: - '_time' - 'EventCode' - 'ScriptBlockText' - 'Opcode' - 'UserID' risk_score:20 security_domain:endpoint
