Windows PowerShell Disabled Kerberos Pre-Authentication Discovery Get-ADUser

Try in Splunk Security Cloud

Description

The following analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the execution of the Get-ADUser commandlet with specific parameters. Get-ADUser is part of the Active Directory PowerShell module used to manage Windows Active Directory networks. As the name suggests, Get-ADUser is used to query for domain users. With the appropiate parameters, Get-ADUser allows adversaries to discover domain accounts with Kerberos Pre Authentication disabled.\ Red Teams and adversaries alike use may abuse Get-ADUSer to enumerate these accounts and attempt to crack their passwords offline.

• Type: TTP
• Product: Splunk Behavioral Analytics
• Datamodel: Endpoint_Processes
• Last Updated: 2022-11-14
• Author: Michael Haag, Splunk
• ID: d57b4d91-fc91-4482-a325-47693cced1eb

Annotations

ATT&CK

ATT&CK

ID	Technique	Tactic
T1558	Steal or Forge Kerberos Tickets	Credential Access

T1558.004

AS-REP Roasting

Credential Access

Kill Chain Phase

• Exploitation

NIST

• DE.CM

CIS20

• CIS 3
• CIS 5
• CIS 16

CVE

Search

| from read_ssa_enriched_events() 
| eval timestamp=parse_long(ucast(map_get(input_event, "_time"), "string", null)), cmd_line=lower(ucast(map_get(input_event, "process"), "string", null)), process_name=lower(ucast(map_get(input_event, "process_name"), "string", null)), process_path=ucast(map_get(input_event, "process_path"), "string", null), parent_process_name=ucast(map_get(input_event, "parent_process_name"), "string", null), event_id=ucast(map_get(input_event, "event_id"), "string", null) 
| where cmd_line IS NOT NULL AND process_name IS NOT NULL 
| where (like (cmd_line, "%get-aduser%") AND like (cmd_line, "%4194304%")) 
| eval start_time=timestamp, end_time=timestamp, entities=mvappend(ucast(map_get(input_event, "dest_user_id"), "string", null), ucast(map_get(input_event, "dest_device_id"), "string", null)), body=create_map(["event_id", event_id, "cmd_line", cmd_line, "process_name", process_name, "parent_process_name", parent_process_name, "process_path", process_path]) 
| into write_ssa_detected_events();

Macros

The SPL above uses the following Macros:

windows_powershell_disabled_kerberos_pre-authentication_discovery_get-aduser_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Required fields

List of fields required to use this analytic.

• _time
• dest_device_id
• process_name
• parent_process_name
• process_path
• dest_user_id
• process
• cmd_line

How To Implement

To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.

Known False Positives

Administrators or power users may use search for accounts with Kerberos Pre Authentication disabled for legitimate purposes.

Associated Analytic Story

• Active Directory Kerberos Attacks

RBA

Risk Score	Impact	Confidence	Message
54.0	60	90	Disabled Kerberos Pre-Authentication Discovery With Get-ADUser from $dest_device_id$

The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.

Reference

• https://attack.mitre.org/techniques/T1558/004/
• https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html
• https://stealthbits.com/blog/cracking-active-directory-passwords-with-as-rep-roasting/

Test Dataset

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

• https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1558.004/getaduser/windows-powershell.log

source | version: 1