Detection: Powershell Get LocalGroup Discovery with Script Block Logging

Description

The following analytic detects the execution of the PowerShell cmdlet get-localgroup using PowerShell Script Block Logging (EventCode=4104). This method captures the full command sent to PowerShell, providing detailed visibility into script execution. Monitoring this activity is significant as it can indicate an attempt to enumerate local groups, which may be a precursor to privilege escalation or lateral movement. If confirmed malicious, an attacker could gain insights into group memberships, potentially leading to unauthorized access or privilege abuse. Review parallel processes and the entire script block for comprehensive analysis.

1`powershell` EventCode=4104 ScriptBlockText = "*get-localgroup*" 
2| stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText  
3| rename Computer as dest, UserID as user 
4| `security_content_ctime(firstTime)` 
5|`security_content_ctime(lastTime)` 
6| `powershell_get_localgroup_discovery_with_script_block_logging_filter`

Data Source

Name Platform Sourcetype Source
Powershell Script Block Logging 4104 Windows icon Windows 'xmlwineventlog' 'XmlWinEventLog:Microsoft-Windows-PowerShell/Operational'

Macros Used

Name Value
powershell (source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source="XmlWinEventLog:Microsoft-Windows-PowerShell/Operational")
powershell_get_localgroup_discovery_with_script_block_logging_filter search *
powershell_get_localgroup_discovery_with_script_block_logging_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Annotations

- MITRE ATT&CK
+ Kill Chain Phases
+ NIST
+ CIS
- Threat Actors
ID Technique Tactic
T1069 Permission Groups Discovery Discovery
T1069.001 Local Groups Discovery
KillChainPhase.EXPLOITAITON
NistCategory.DE_AE
Cis18Value.CIS_10
APT3
APT41
FIN13
TA505
Volt Typhoon
Chimera
HEXANE
OilRig
Tonto Team
Turla
Volt Typhoon
admin@338

Default Configuration

This detection is configured by default in Splunk Enterprise Security to run with the following settings:

Setting Value
Disabled true
Cron Schedule 0 * * * *
Earliest Time -70m@m
Latest Time -10m@m
Schedule Window auto
Creates Risk Event False
This configuration file applies to all detections of type hunting.

Implementation

To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.

Known False Positives

False positives may be present. Tune as needed.

Associated Analytic Story

Risk Based Analytics (RBA)

Risk Message Risk Score Impact Confidence
Local group discovery on endpoint $dest$ by user $user$. 15 30 50
The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.

References

Detection Testing

Test Type Status Dataset Source Sourcetype
Validation Passing N/A N/A N/A
Unit Passing Dataset XmlWinEventLog:Microsoft-Windows-PowerShell/Operational XmlWinEventLog
Integration ✅ Passing Dataset XmlWinEventLog:Microsoft-Windows-PowerShell/Operational XmlWinEventLog

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range


Source: GitHub | Version: 4