Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionmediumtest

Get-ADUser Enumeration Using UserAccountControl Flags

Detects AS-REP roasting is an attack that is often-overlooked. It is not very common as you have to explicitly set accounts that do not require pre-authentication.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
François HubautCreated Thu Mar 1796c982fe-3d08-4df4-bed2-eb14e02f21c8windows
Log Source
WindowsPowerShell Script
ProductWindows← raw: windows
CategoryPowerShell Script← raw: ps_script

Definition

Requirements: Script Block Logging must be enabled

Detection Logic
Detection Logic1 selector
detection:
    selection:
        # 4194304 DONT_REQ_PREAUTH
        ScriptBlockText|contains|all:
            - 'Get-ADUser'
            - '-Filter'
            - 'useraccountcontrol'
            - '-band'
            - '4194304'
    condition: selection
False Positives

Legitimate PowerShell scripts

References
1
Resolving title…
github.com
2
Resolving title…
shellgeek.com
MITRE ATT&CK
Rule Metadata
Rule ID
96c982fe-3d08-4df4-bed2-eb14e02f21c8
Status
test
Level
medium
Type
Detection
Created
Thu Mar 17
Author
François Hubaut
Path
rules/windows/powershell/powershell_script/posh_ps_as_rep_roasting.yml
Raw Tags
attack.discoveryattack.t1033
View on GitHub