Detectionhightest

PowerShell ADRecon Execution

Detects execution of ADRecon.ps1 for AD reconnaissance which has been reported to be actively used by FIN7

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Bhabesh RajCreated Fri Jul 16Updated Tue Sep 06bf72941a-cba0-41ea-b18c-9aca3925690dwindows

Log Source

WindowsPowerShell Script

ProductWindows← raw: windows

CategoryPowerShell Script← raw: ps_script

Definition

Requirements: Script Block Logging must be enabled

Detection Logic

detection:
    selection:
        ScriptBlockText|contains:
            - 'Function Get-ADRExcelComOb'
            - 'Get-ADRGPO'
            - 'Get-ADRDomainController'
            - 'ADRecon-Report.xlsx' # Default
    condition: selection

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

MITRE ATT&CK

Tactics

TA0007 · Discovery TA0002 · Execution

Sub-techniques

T1059.001 · PowerShell

Rule Metadata

Rule ID

bf72941a-cba0-41ea-b18c-9aca3925690d

Status

test

Level

high

Type

Detection

Created

Fri Jul 16

Modified

Tue Sep 06

Author

Bhabesh Raj

Path

rules/windows/powershell/powershell_script/posh_ps_adrecon_execution.yml

Raw Tags

attack.discoveryattack.executionattack.t1059.001

View on GitHub