Detection: GetWmiObject DS User with PowerShell Script Block

Updated Date: 2026-05-13 ID: fabd364e-04f3-11ec-b34b-acde48001122 Author: Teoderick Contreras, Mauricio Velazco, Splunk Type: TTP Product: Splunk Enterprise Security

Description

The following analytic detects the execution of the Get-WmiObject cmdlet with the DS_User class parameter via PowerShell Script Block Logging (EventCode=4104). It leverages logs to identify attempts to query all domain users using WMI. This activity is significant as it may indicate an adversary or Red Team operation attempting to enumerate domain users for situational awareness and Active Directory discovery. If confirmed malicious, this behavior could lead to further reconnaissance, enabling attackers to map out the network and identify potential targets for privilege escalation or lateral movement.

Search

1`powershell` EventCode=4104 ScriptBlockText = "*get-wmiobject*" ScriptBlockText = "*ds_user*" ScriptBlockText = "*-namespace*" ScriptBlockText = "*root\\directory\\ldap*" 
2| fillnull 
3| stats count min(_time) as firstTime max(_time) as lastTime by dest signature signature_id user_id vendor_product EventID Guid Opcode Name Path ProcessID ScriptBlockId ScriptBlockText 
4| `security_content_ctime(firstTime)` 
5| `security_content_ctime(lastTime)` 
6| `getwmiobject_ds_user_with_powershell_script_block_filter`

Data Source

Name	Platform	Sourcetype	Source
Powershell Script Block Logging 4104	Windows	`'XmlWinEventLog'`	`'XmlWinEventLog:Microsoft-Windows-PowerShell/Operational'`

Macros Used

Name	Value
powershell	`(source=WinEventLog:Microsoft-Windows-PowerShell/Operational OR source="XmlWinEventLog:Microsoft-Windows-PowerShell/Operational" OR source=WinEventLog:PowerShellCore/Operational OR source="XmlWinEventLog:PowerShellCore/Operational")`
getwmiobject_ds_user_with_powershell_script_block_filter	`search *`

getwmiobject_ds_user_with_powershell_script_block_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Annotations

- MITRE ATT&CK

+ Kill Chain Phases

+ NIST

+ CIS

- Threat Actors

ID	Technique	Tactic
T1087.002	Domain Account	Discovery

Exploitation

DE.CM

CIS 10

Default Configuration

This detection is configured by default in Splunk Enterprise Security to run with the following settings:

Setting	Value
Disabled	true
Cron Schedule	`0 * * * *`
Earliest Time	`-70m@m`
Latest Time	`-10m@m`
Schedule Window	`auto`
Creates Finding (Notable)	Yes
Rule Title	`%name%`
Rule Description	`%description%`
Notable Event Fields	user, dest
Creates Intermediate Finding (Risk Event)	Yes

TTP detections generate a Finding (Notable) and may generate Intermediate Findings (Risk Events) for associated entities.

Implementation

The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging.

Known False Positives

Administrators or power users may use this command for troubleshooting.

Associated Analytic Story

Active Directory Discovery

Finding

Title	Entity Field	Entity Type	Risk Score
powershell process having commandline for user enumeration detected on host - $dest$	user_id	user	50

Intermediate Findings

Message	Entity Field	Entity Type	Risk Score
powershell process having commandline for user enumeration detected on host - $dest$	dest	system	50

References

Detection Testing

Test Type	Status	Dataset	Source	Sourcetype
Validation	✅ Passing	N/A	N/A	N/A
Unit	✅ Passing	Dataset	`XmlWinEventLog:Microsoft-Windows-PowerShell/Operational`	`XmlWinEventLog`
Integration	✅ Passing	Dataset	`XmlWinEventLog:Microsoft-Windows-PowerShell/Operational`	`XmlWinEventLog`

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

Source: GitHub | Version: 12