Detectionmediumtest

Manipulation of User Computer or Group Security Principals Across AD

Adversaries may create a domain account to maintain access to victim systems. Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain..

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

François HubautCreated Tue Dec 28b29a93fb-087c-4b5b-a84d-ee3309e69d08windows

Log Source

WindowsPowerShell Script

ProductWindows← raw: windows

CategoryPowerShell Script← raw: ps_script

Definition

Requirements: Script Block Logging must be enabled

Detection Logic

detection:
    selection:
        ScriptBlockText|contains: System.DirectoryServices.AccountManagement
    condition: selection

False Positives

Legitimate administrative script

References

MITRE ATT&CK

Tactics

TA0003 · Persistence

Sub-techniques

T1136.002 · Domain Account

Rule Metadata

Rule ID

b29a93fb-087c-4b5b-a84d-ee3309e69d08

Status

test

Level

medium

Type

Detection

Created

Tue Dec 28

Author

François Hubaut

Path

rules/windows/powershell/powershell_script/posh_ps_directoryservices_accountmanagement.yml

Raw Tags

attack.persistenceattack.t1136.002

View on GitHub