Detection rules › Splunk
Common Active Directory Commands (PowerShell)
Detects the possible execution of specific AD commands on hosts
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Discovery | T1007 System Service Discovery, T1087.002 Account Discovery: Domain Account |
References
Event coverage
| Provider | Event | Title |
|---|---|---|
| PowerShell | Event ID 4104 | Creating Scriptblock text (MessageNumber of MessageTotal). |
Rule body yaml
id: '1073.1110'
title: Common Active Directory Commands
description: 'Detects the possible execution of specific AD commands on hosts. Threat
Actor Association: APT29/Nobelium/Cozy Bear, APT41, FIN6, FIN10, Carbanak, CL-STA-0043,
Lapsus$, Lazarus, MuddyWater, Sandworm Team, TA428, Turla, UNC2596, Vice Society,
Volt Typhoon (Bronze Silhouette, Vanguard Panda), Witchetty, Wizard Spider Software
Association: Akira, ALPHV/BlackCat, AvosLocker, Bazarloader, BianLian, Black Basta,
Clop, Conti, Cuba, Havex, IcedID, Insekt, Lockbit, Revil, Ryuk, Snatch, WASTEDLOCKER
Tags: TrendingThreat, Russia, Ukraine'
logic_format: Splunk
logic: ' `get_endpoint_data` `get_endpoint_data_powershell` (signature_id=4104 ("csvde.exe"
OR "dsacls.exe" OR "dcpromo.exe" OR "dcdiag.exe" OR "dsamain.exe" OR "dsmgmt.exe"
OR "ldifde.exe" OR "ldp.exe" OR "netdom.exe" OR "nltest.exe" OR "setspn.exe" OR
("net" AND ("/domain" OR "computer" )) OR "whoami /groups" OR "ADComputer*" OR "ADGroup*"
OR "ADUser*" OR "ADOrganizationalUnit*" OR "ADGroupMember*" OR "Get-AdmPwdPassword*"
OR "ADAccount*" OR "ADObject*" OR "ADDomain*" OR "ADDefaultDomainPasswordPolicy*"
OR "ADForest" OR "ADPrincipal*" OR "ADService*" OR "ADResourceProperty*" OR "ADResource*"
OR "ADFineGrainedPasswordPolicy*" OR "ADClaim*" OR "ADCentral*" OR "ADAuthentication*"
OR "ADDirectory*" OR "ADTrust" OR "ADRoot*" OR "ADOptional*" OR "Get-Net*" OR "Find-GPO*"
OR "Get-Domain*")) | eval process=coalesce(process,Message), process_path=coalesce(process_path,Path)
| rex field=process mode=sed max_match=0 "s/(?mi)^(Path.+)|^(ScriptBlock ID.+)|^(Creating
Scriptblock.+)//g" | rex field=process max_match=0 "(?i)(?<process2>([^\s\.\\\]+)?((csvde\.exe)|(dsacls\.exe)|(dcpromo\.exe)|(dcdiag\.exe)|(dsamain\.exe)|(dsmgmt\.exe)|(ldifde\.exe)|(ldp\.exe)|(netdom\.exe)|(nltest\.exe)|(setspn\.exe)|(net.+((/domain)|(computer)))|(whoami\s+/groups)|(ADComputer)|(ADGroup)|(ADUser)|(ADOrganizationalUnit)|(ADGroupMember)|(Get-AdmPwdPasswor)|(ADAccount)|(ADObject)|(ADDomain)|(ADDefaultDomainPasswordPolicy)|(ADForest)|(ADPrincipal)|(ADService)|(ADResourceProperty)|(ADResource)|(ADFineGrainedPasswordPolicy)|(ADClaim)|(ADCentral)|(ADAuthentication)|(ADDirectory)|(ADTrust)|(ADRoot)|(ADOptional)|(Get-Net)|(Find-GPO)|(Get-Domain))(\S+)?(\s+)?[^\n\r]{0,40})"
| rex field=process2 mode=sed "s/([\n\r]+)|(\s\s+)//g" | rename process2 as process
| fields - process2 | table _time, host, user, dvc, event_id, host, process, process_path,
signature_id, tag, user_id | bin span=300s | stats values(*) as * by _time, host
| where isnotnull(process) '
techniques:
- discovery:account discovery:domain account
- discovery:system service discovery
technique_id:
- T1087.002
- T1007
data_category:
- PowerShell logs
- Process command-line parameters
references:
- https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
Stages and Predicates
Stage 1: search
`get_endpoint_data` `get_endpoint_data_powershell` (signature_id=4104 ("csvde.exe" OR "dsacls.exe" OR "dcpromo.exe" OR "dcdiag.exe" OR "dsamain.exe" OR "dsmgmt.exe" OR "ldifde.exe" OR "ldp.exe" OR "netdom.exe" OR "nltest.exe" OR "setspn.exe" OR ("net" AND ("/domain" OR "computer" )) OR "whoami /groups" OR "ADComputer*" OR "ADGroup*" OR "ADUser*" OR "ADOrganizationalUnit*" OR "ADGroupMember*" OR "Get-AdmPwdPassword*" OR "ADAccount*" OR "ADObject*" OR "ADDomain*" OR "ADDefaultDomainPasswordPolicy*" OR "ADForest" OR "ADPrincipal*" OR "ADService*" OR "ADResourceProperty*" OR "ADResource*" OR "ADFineGrainedPasswordPolicy*" OR "ADClaim*" OR "ADCentral*" OR "ADAuthentication*" OR "ADDirectory*" OR "ADTrust" OR "ADRoot*" OR "ADOptional*" OR "Get-Net*" OR "Find-GPO*" OR "Get-Domain*"))
Stage 2: eval
| eval process=coalesce(process,Message), process_path=coalesce(process_path,Path)
Stage 3: eval
| rex field=process mode=sed max_match=0 "s/(?mi)^(Path.+)|^(ScriptBlock ID.+)|^(Creating Scriptblock.+)//g"
Stage 4: rex
| rex field=process max_match=0 "(?i)(?<process2>([^\s\.\\\]+)?((csvde\.exe)|(dsacls\.exe)|(dcpromo\.exe)|(dcdiag\.exe)|(dsamain\.exe)|(dsmgmt\.exe)|(ldifde\.exe)|(ldp\.exe)|(netdom\.exe)|(nltest\.exe)|(setspn\.exe)|(net.+((/domain)|(computer)))|(whoami\s+/groups)|(ADComputer)|(ADGroup)|(ADUser)|(ADOrganizationalUnit)|(ADGroupMember)|(Get-AdmPwdPasswor)|(ADAccount)|(ADObject)|(ADDomain)|(ADDefaultDomainPasswordPolicy)|(ADForest)|(ADPrincipal)|(ADService)|(ADResourceProperty)|(ADResource)|(ADFineGrainedPasswordPolicy)|(ADClaim)|(ADCentral)|(ADAuthentication)|(ADDirectory)|(ADTrust)|(ADRoot)|(ADOptional)|(Get-Net)|(Find-GPO)|(Get-Domain))(\S+)?(\s+)?[^\n\r]{0,40})"
Stage 5: eval
| rex field=process2 mode=sed "s/([\n\r]+)|(\s\s+)//g"
Stage 6: rename
| rename process2 as process
Stage 7: fields
| fields - process2
Stage 8: table
| table _time, host, user, dvc, event_id, host, process, process_path, signature_id, tag, user_id
Stage 9: bucket
| bin span=300s
Stage 10: stats
| stats values(*) as * by _time, host
Stage 11: where
| where isnotnull(process)
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
process | is_not_null | |
signature_id | eq |
|
Search terms
Bare-string tokens in the SPL search body. Splunk matches each token against _raw (the untyped raw event text) anywhere it appears, not against a specific field. These don't surface in the Indicators table because they aren't predicates on a known field.
| Stage | Term |
|---|---|
| 1 | "csvde.exe" |
| 1 | "dsacls.exe" |
| 1 | "dcpromo.exe" |
| 1 | "dcdiag.exe" |
| 1 | "dsamain.exe" |
| 1 | "dsmgmt.exe" |
| 1 | "ldifde.exe" |
| 1 | "ldp.exe" |
| 1 | "netdom.exe" |
| 1 | "nltest.exe" |
| 1 | "setspn.exe" |
| 1 | "net" |
| 1 | "/domain" |
| 1 | "computer" |
| 1 | "whoami /groups" |
| 1 | "ADComputer*" |
| 1 | "ADGroup*" |
| 1 | "ADUser*" |
| 1 | "ADOrganizationalUnit*" |
| 1 | "ADGroupMember*" |
| 1 | "Get-AdmPwdPassword*" |
| 1 | "ADAccount*" |
| 1 | "ADObject*" |
| 1 | "ADDomain*" |
| 1 | "ADDefaultDomainPasswordPolicy*" |
| 1 | "ADForest" |
| 1 | "ADPrincipal*" |
| 1 | "ADService*" |
| 1 | "ADResourceProperty*" |
| 1 | "ADResource*" |
| 1 | "ADFineGrainedPasswordPolicy*" |
| 1 | "ADClaim*" |
| 1 | "ADCentral*" |
| 1 | "ADAuthentication*" |
| 1 | "ADDirectory*" |
| 1 | "ADTrust" |
| 1 | "ADRoot*" |
| 1 | "ADOptional*" |
| 1 | "Get-Net*" |
| 1 | "Find-GPO*" |
| 1 | "Get-Domain*" |