Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionmediumtest

Suspicious Get-ADReplAccount

The DSInternals PowerShell Module exposes several internal features of Active Directory and Azure Active Directory. These include FIDO2 and NGC key auditing, offline ntds.dit file manipulation, password auditing, DC recovery from IFM backups and password hash calculation.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
François HubautCreated Sun Feb 06060c3ef1-fd0a-4091-bf46-e7d625f60b73windows
Log Source
WindowsPowerShell Script
ProductWindows← raw: windows
CategoryPowerShell Script← raw: ps_script

Definition

Requirements: Script Block Logging must be enabled

Detection Logic
Detection Logic1 selector
detection:
    selection:
        ScriptBlockText|contains|all:
            - Get-ADReplAccount
            - '-All '
            - '-Server '
    condition: selection
False Positives

Legitimate PowerShell scripts

References
1
Resolving title…
powershellgallery.com
2
Resolving title…
github.com
MITRE ATT&CK

Sub-techniques

T1003.006 · DCSync
Rule Metadata
Rule ID
060c3ef1-fd0a-4091-bf46-e7d625f60b73
Status
test
Level
medium
Type
Detection
Created
Sun Feb 06
Author
François Hubaut
Path
rules/windows/powershell/powershell_script/posh_ps_get_adreplaccount.yml
Raw Tags
attack.credential-accessattack.t1003.006
View on GitHub