| ID | Technique | Tactic |
|---|---|---|
| T1069 | Permission Groups Discovery | Discovery |
| T1069.002 | Domain Groups | Discovery |
Detection: GetWmiObject Ds Group with PowerShell Script Block
Description
The following analytic detects the execution of the Get-WmiObject commandlet with the DS_Group parameter via PowerShell Script Block Logging (EventCode=4104). This method leverages WMI to query all domain groups. Monitoring this activity is crucial as adversaries and Red Teams may use it for domain group enumeration, aiding in situational awareness and Active Directory discovery. If confirmed malicious, this activity could allow attackers to map out the domain structure, potentially leading to further exploitation and privilege escalation within the network.
Search
1`powershell` EventCode=4104 (ScriptBlockText=*Get-WmiObject* AND ScriptBlockText="*namespace root\\directory\\ldap*" AND ScriptBlockText="*class ds_group*")
2| stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText
3| rename Computer as dest
4| rename UserID as user
5| `security_content_ctime(firstTime)`
6| `security_content_ctime(lastTime)`
7|`getwmiobject_ds_group_with_powershell_script_block_filter`
Data Source
| Name | Platform | Sourcetype | Source |
|---|---|---|---|
| Powershell Script Block Logging 4104 |  Windows |
'xmlwineventlog' |
'XmlWinEventLog:Microsoft-Windows-PowerShell/Operational' |
Macros Used
| Name | Value |
|---|---|
| powershell | (source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source="XmlWinEventLog:Microsoft-Windows-PowerShell/Operational") |
Annotations
MITRE ATT&CK
Kill Chain Phases
NIST
CIS
Threat Actors
KillChainPhase.EXPLOITAITON
NistCategory.DE_CM
Cis18Value.CIS_10
APT3
APT41
FIN13
TA505
Volt Typhoon
Dragonfly
FIN7
INC Ransom
Inception
Ke3chang
LAPSUS$
OilRig
ToddyCat
Turla
Volt Typhoon
Default Configuration
This detection is configured by default in Splunk Enterprise Security to run with the following settings:
| Setting | Value |
|---|---|
| Disabled | true |
| Cron Schedule | 0 * * * * |
| Earliest Time | -70m@m |
| Latest Time | -10m@m |
| Schedule Window | auto |
| Creates Notable | Yes |
| Rule Title | %name% |
| Rule Description | %description% |
| Notable Event Fields | user, dest |
| Creates Risk Event | True |
This configuration file applies to all detections of type TTP. These detections will use Risk Based Alerting and generate Notable Events.
Implementation
To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.
Known False Positives
Administrators or power users may use this PowerShell commandlet for troubleshooting.
Associated Analytic Story
Risk Based Analytics (RBA)
| Risk Message | Risk Score | Impact | Confidence |
|---|---|---|---|
| Domain group discovery enumeration using PowerShell on $dest$ by $user$ | 15 | 30 | 50 |
The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.
References
Detection Testing
| Test Type | Status | Dataset | Source | Sourcetype |
|---|---|---|---|---|
| Validation | ✅ Passing | N/A | N/A | N/A |
| Unit | ✅ Passing | Dataset | XmlWinEventLog:Microsoft-Windows-PowerShell/Operational |
XmlWinEventLog |
| Integration | ✅ Passing | Dataset | XmlWinEventLog:Microsoft-Windows-PowerShell/Operational |
XmlWinEventLog |
Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
Source: GitHub | Version: 4