Detectionlowtest

Password Policy Discovery With Get-AdDefaultDomainPasswordPolicy

Detetcts PowerShell activity in which Get-Addefaultdomainpasswordpolicy is used to get the default password policy for an Active Directory domain.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

François HubautCreated Thu Mar 17bbb9495b-58fc-4016-b9df-9a3a1b67ca82windows

Log Source

WindowsPowerShell Script

ProductWindows← raw: windows

CategoryPowerShell Script← raw: ps_script

Definition

Requirements: Script Block Logging must be enabled

Detection Logic

detection:
    selection:
        ScriptBlockText|contains: Get-AdDefaultDomainPasswordPolicy
    condition: selection

False Positives

Legitimate PowerShell scripts

References

MITRE ATT&CK

Tactics

Techniques

Rule Metadata

Rule ID

bbb9495b-58fc-4016-b9df-9a3a1b67ca82

Status

test

Level

low

Type

Detection

Created

Thu Mar 17

Author

Path

rules/windows/powershell/powershell_script/posh_ps_susp_get_addefaultdomainpasswordpolicy.yml

Raw Tags

attack.discoveryattack.t1201