heroui logo

GetAdComputer with PowerShell Script Block

Splunk Security Content

View Source
Summary
This analytic rule is designed to detect the execution of the PowerShell commandlet `Get-AdComputer`, which is used to enumerate domain computers in an Active Directory environment. This command, when logged via PowerShell Script Block Logging (specifically EventCode=4104), can indicate potential adversarial activity aimed at gathering information about the domain infrastructure. By capturing the specific script block where `Get-AdComputer` is called, security analysts can identify unauthorized exploration of the network, which may aid attackers in mapping networks and formulating further exploitation strategies. Successful detection can significantly enhance visibility into potential threats, particularly in environments that rely on Active Directory for resource management. Implementation of this rule requires ensuring that PowerShell Script Block Logging is enabled across the targeted endpoints. The rule excludes instances where this commandlet is used legitimately by administrators for troubleshooting purposes, which may lead to false positives. Overall, monitoring for `Get-AdComputer` execution is critical in threat hunting efforts focused on pre-exploitation reconnaissance activities.
Categories
  • Endpoint
Data Sources
  • Persona
  • Script
  • Command
ATT&CK Techniques
  • T1018
  • T1059.001
Created: 2024-11-13