
Summary
This detection rule identifies the execution of `powershell.exe` with command-line arguments indicating enumeration of domain users via the `Get-DomainUser` command, typically used in Active Directory reconnaissance efforts. The detection is built upon data sourced from Endpoint Detection and Response (EDR) solutions, which provide telemetry insights into the processes running on endpoints. By focusing on the process names and command-line parameters that correspond to known malicious activity, this rule serves to unearth attempts to gather sensitive information about user accounts within a domain. Such actions can be indicative of preparatory steps taken by threat actors or Red Teams prior to executing further attacks. The detection utilizes Splunk's data model for endpoints and is essential for maintaining security posture by alerting on potential abuse of PowerShell in the context of Active Directory enumeration.
Categories
- Endpoint
- Infrastructure
Data Sources
- Process
- Windows Registry
- Logon Session
ATT&CK Techniques
- T1087.002
- T1087
Created: 2024-11-13