Branch was auto-updated.

Author: srv-rr-gh-researchbt

detections/endpoint/windows_find_domain_organizational_units_with_getdomainou.yml

@@ -0,0 +1,58 @@
+name: Windows Find Domain Organizational Units with GetDomainOU
+id: 0ada2f82-b7af-40cc-b1d7-1e5985afcb4e
+version: 1
+date: '2023-08-31'
+author: Gowthamaraj Rajendran, Mauricio Velazco, Splunk
+status: production
+type: TTP
+data_source:
+- Powershell 4104
+description: This analytic leverages PowerShell Script Block Logging (EventCode=4104) to detect the execution of the `Get-DomainOU` commandlet. `Get-DomainOU` is a component of PowerView, a PowerShell toolkit designed for Windows domain enumeration. Identifying the use of `Get-DomainOU` is crucial as adversaries and Red Teams might employ it to gain insights into organizational units within Active Directory, potentially aiding in lateral movement or privilege escalation strategies.
+search: '`powershell` EventCode=4104 ScriptBlockText = "*Get-DomainOU*" 
+  | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest, UserID as user 
+  | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` 
+  | `windows_find_domain_organizational_units_with_getdomainou_filter`'
+how_to_implement: The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging.
+known_false_positives: Administrators may leverage PowerSploit tools for legitimate reasons, filter as needed.
+references:
+- https://powersploit.readthedocs.io/en/latest/Recon/Get-DomainOU/
+- https://attack.mitre.org/techniques/T1087/002/
+- https://book.hacktricks.xyz/windows-hardening/basic-powershell-for-pentesters/powerview
+tags:
+  analytic_story:
+  - Active Directory Discovery
+  asset_type: Endpoint
+  confidence: 50
+  impact: 50
+  message: Suspicious PowerShell Get-DomainOU was identified on endpoint $dest$
+    by user $user$.
+  mitre_attack_id:
+  - T1087
+  - T1087.002
+  observable:
+  - name: dest
+    type: Hostname
+    role:
+    - Victim
+  - name: user
+    type: User
+    role:
+    - Victim
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  required_fields:
+  - _time
+  - EventCode
+  - Message
+  - Computer
+  - UserID
+  risk_score: 25
+  security_domain: endpoint
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.002/AD_discovery/windows-powershell-DomainOU-xml.log
+    source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
+    sourcetype: xmlwineventlog

detections/endpoint/windows_find_interesting_acl_with_findinterestingdomainacl.yml

@@ -0,0 +1,57 @@
+name: Windows Find Interesting ACL with FindInterestingDomainAcl
+id: e4a96dfd-667a-4487-b942-ccef5a1e81e8
+version: 1
+date: '2023-08-31'
+author: Gowthamaraj Rajendran, Mauricio Velazco, Splunk
+status: production
+type: TTP
+data_source:
+- Powershell 4104
+description: This analytic leverages PowerShell Script Block Logging (EventCode=4104) to detect the execution of the `Find-InterestingDomainAcl` commandlet. `Find-InterestingDomainAcl` is part of PowerView, a PowerShell toolkit designed for Windows domain enumeration. Detecting the use of `Find-InterestingDomainAcl` is crucial as adversaries and Red Teams might employ it to identify unusual or misconfigured Access Control Lists (ACLs) within the domain. Such ACLs can provide attackers with insights into potential privilege escalation opportunities or weak security postures within Active Directory.
+search: '`powershell` EventCode=4104 ScriptBlockText = "*Find-InterestingDomainAcl*" 
+  | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest, UserID as user
+  | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` 
+  | `windows_find_interesting_acl_with_findinterestingdomainacl_filter`' 
+how_to_implement: The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging.
+known_false_positives: Administrators may leverage PowerSploit tools for legitimate reasons, filter as needed.
+references:
+- https://powersploit.readthedocs.io/en/latest/Recon/Find-InterestingDomainAcl/
+- https://attack.mitre.org/techniques/T1087/002/
+- https://book.hacktricks.xyz/windows-hardening/basic-powershell-for-pentesters/powerview
+tags:
+  analytic_story:
+  - Active Directory Discovery
+  asset_type: Endpoint
+  confidence: 50
+  impact: 50
+  message: Suspicious PowerShell Find-InterestingDomainAcl was identified on endpoint $dest$ by user $user$.
+  mitre_attack_id:
+  - T1087
+  - T1087.002
+  observable:
+  - name: dest
+    type: Hostname
+    role:
+    - Victim
+  - name: user
+    type: User
+    role:
+    - Victim
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  required_fields:
+  - _time
+  - EventCode
+  - Message
+  - Computer
+  - UserID
+  risk_score: 25
+  security_domain: endpoint
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.002/AD_discovery/windows-powershell-interestingACL-xml.log
+    source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
+    sourcetype: xmlwineventlog

detections/endpoint/windows_forest_discovery_with_getforestdomain.yml

@@ -0,0 +1,57 @@
+name: Windows Forest Discovery with GetForestDomain
+id: a14803b2-4bd9-4c08-8b57-c37980edebe8
+version: 1
+date: '2023-08-31'
+author: Gowthamaraj Rajendran, Mauricio Velazco, Splunk
+status: production
+type: TTP
+data_source:
+- Powershell 4104
+description: This analytic utilizes PowerShell Script Block Logging (EventCode=4104) to detect the execution of the `Get-ForestDomain` commandlet. `Get-ForestDomain` is a component of PowerView, a PowerShell toolkit designed for Windows domain enumeration. Detecting the use of `Get-ForestDomain` is essential as adversaries and Red Teams might employ it to gain insights into the forest and domain configurations of an Active Directory environment.  Such information can provide attackers with a broader understanding of the domain structure and potential avenues for lateral movement or privilege escalation.
+search: '`powershell` EventCode=4104 ScriptBlockText = "*Get-ForestDomain*" 
+  | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest, UserID as user
+  | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` 
+  | `windows_forest_discovery_with_getforestdomain_filter`'
+how_to_implement: The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging.
+known_false_positives: Administrators may leverage PowerSploit tools for legitimate reasons, filter as needed.
+references:
+- https://powersploit.readthedocs.io/en/latest/Recon/Get-ForestDomain/
+- https://attack.mitre.org/techniques/T1087/002/
+- https://book.hacktricks.xyz/windows-hardening/basic-powershell-for-pentesters/powerview
+tags:
+  analytic_story:
+  - Active Directory Discovery
+  asset_type: Endpoint
+  confidence: 50
+  impact: 50
+  message: Suspicious PowerShell Get-ForestDomain was identified on endpoint $dest$ by user $user$.
+  mitre_attack_id:
+  - T1087
+  - T1087.002
+  observable:
+  - name: dest
+    type: Hostname
+    role:
+    - Victim
+  - name: user
+    type: User
+    role:
+    - Victim
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  required_fields:
+  - _time
+  - EventCode
+  - Message
+  - Computer
+  - UserID
+  risk_score: 25
+  security_domain: endpoint
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.002/AD_discovery/windows-powershell-ForestDomain-xml.log
+    source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
+    sourcetype: xmlwineventlog

detections/endpoint/windows_get_local_admin_with_findlocaladminaccess.yml

@@ -0,0 +1,61 @@
+name: Windows Get Local Admin with FindLocalAdminAccess
+id: d2988160-3ce9-4310-b59d-905334920cdd
+version: 1
+date: '2023-08-31'
+author: Gowthamaraj Rajendran, Mauricio Velazco, Splunk
+status: production
+type: TTP
+data_source:
+- Powershell 4104
+description: This analytic leverages PowerShell Script Block Logging (EventCode=4104) to detect the execution of the `Find-LocalAdminAccess` commandlet. `Find-LocalAdminAccess` is part of PowerView, a PowerShell toolkit designed for Windows domain enumeration. Detecting the use of `Find-LocalAdminAccess` is vital as adversaries and Red Teams might employ it to identify machines where the current user context has local administrator access. Such information can provide attackers with potential targets for lateral movement or privilege escalation within the network.
+search: '`powershell` EventCode=4104 ScriptBlockText = "*Find-LocalAdminAccess*" 
+  | stats count min(_time) as firstTime max(_time) as lastTime by EventCode ScriptBlockText Computer UserID | rename Computer as dest, UserID as user
+  | `security_content_ctime(firstTime)` 
+  | `security_content_ctime(lastTime)` 
+  | `windows_get_local_admin_with_findlocaladminaccess_filter`'
+how_to_implement: The following Hunting analytic requires PowerShell operational logs
+  to be imported. Modify the powershell macro as needed to match the sourcetype or
+  add index. This analytic is specific to 4104, or PowerShell Script Block Logging.
+known_false_positives: Administrators may leverage PowerSploit tools for legitimate reasons, filter as needed.
+references:
+- https://powersploit.readthedocs.io/en/latest/Recon/Find-LocalAdminAccess/
+- https://attack.mitre.org/techniques/T1087/002/
+- https://book.hacktricks.xyz/windows-hardening/basic-powershell-for-pentesters/powerview
+tags:
+  analytic_story:
+  - Active Directory Discovery
+  asset_type: Endpoint
+  confidence: 50
+  impact: 50
+  message: Suspicious PowerShell Find-LocalAdminAccess was identified on endpoint $dest$
+    by user $user$.
+  mitre_attack_id:
+  - T1087
+  - T1087.002
+  observable:
+  - name: dest
+    type: Hostname
+    role:
+    - Victim
+  - name: user
+    type: User
+    role:
+    - Victim
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  required_fields:
+  - _time
+  - EventCode
+  - Message
+  - Computer
+  - UserID
+  risk_score: 25
+  security_domain: endpoint
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.002/AD_discovery/windows-powershell-LocalAdminAccess-xml.log
+    source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
+    sourcetype: xmlwineventlog