Detectionlowtest
AD Groups Or Users Enumeration Using PowerShell - PoshModule
Adversaries may attempt to find domain-level groups and permission settings. The knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as domain administrators.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Log Source
WindowsPowerShell Module
ProductWindows← raw: windows
CategoryPowerShell Module← raw: ps_module
Definition
0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
Detection Logic
Detection Logic2 selectors
detection:
selection_ad_principal:
- Payload|contains: 'get-ADPrincipalGroupMembership'
- ContextInfo|contains: 'get-ADPrincipalGroupMembership'
selection_get_aduser:
- Payload|contains|all:
- get-aduser
- '-f '
- '-pr '
- DoesNotRequirePreAuth
- ContextInfo|contains|all:
- get-aduser
- '-f '
- '-pr '
- DoesNotRequirePreAuth
condition: 1 of selection_*False Positives
Administrator script
References
MITRE ATT&CK
Tactics
Sub-techniques
Rule Metadata
Rule ID
815bfc17-7fc6-4908-a55e-2f37b98cedb4
Status
test
Level
low
Type
Detection
Created
Wed Dec 15
Modified
Fri Jan 20
Author
Path
rules/windows/powershell/powershell_module/posh_pm_susp_ad_group_reco.yml
Raw Tags
attack.discoveryattack.t1069.001