
Summary
This analytic detection rule focuses on identifying the execution of the PowerShell cmdlet `Get-DomainGroupMember`, which is part of the PowerView toolkit often utilized for Active Directory enumeration. The detection exploits PowerShell Script Block Logging, specifically monitoring EventCode 4104. The cmdlet is typically executed to enumerate high-privileged groups such as Domain Admins,Enterprise Admins, and other elevated accounts within a domain, which is a key step in reconnaissance for adversaries attempting to find vulnerable targets for lateral movement or data exfiltration within a network. By monitoring this activity, organizations can detect potential malicious reconnaissance efforts that may lead to targeted attacks against privileged users, thereby facilitating further compromise within the network's security posture.
Categories
- Endpoint
Data Sources
- Pod
- User Account
- Script
ATT&CK Techniques
- T1069
- T1069.002
Created: 2024-11-13