
Summary
This detection rule aims to identify the exploitation of PowerShell's DirectorySearcher class, which can be misused to enumerate Active Directory (AD) entities, specifically targeting computers joined to a domain. The rule utilizes script block logging in Windows environments, necessitating that this feature be enabled for effective monitoring. Key indicators of exploitation include the use of specific PowerShell commands that leverage the DirectorySearcher object to search within AD. The rule looks for the occurrence of commands like 'New-Object System.DirectoryServices.DirectorySearcher' and specific methods such as '.PropertiesToLoad.Add' and '.findall()' within the logged script blocks. If these elements are detected, it is likely an attempt to enumerate sensitive information regarding the Active Directory structure. Overall, this rule is relevant for monitoring and detecting reconnaissance activities within a Windows domain.
Categories
- Windows
- Identity Management
- Endpoint
Data Sources
- Script
- Application Log
ATT&CK Techniques
- T1018
Created: 2022-02-12