[metadata] creation_date = "2023/07/06" integration = ["windows"] maturity = "production" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." min_stack_version = "8.14.0" updated_date = "2025/01/13" [rule] author = ["Elastic"] description = """ Identifies the use of Cmdlets and methods related to discovery activities. Attackers can use these to perform various situational awareness related activities, like enumerating users, shares, sessions, domain trusts, groups, etc. """ from = "now-119m" interval = "60m" index = ["winlogbeat-*", "logs-windows.powershell*"] language = "kuery" license = "Elastic License v2" name = "PowerShell Script with Discovery Capabilities" risk_score = 21 rule_id = "1e0a3f7c-21e7-4bb1-98c7-2036612fb1be" setup = """## Setup The 'PowerShell Script Block Logging' logging policy must be enabled. Steps to implement the logging policy with Advanced Audit Configuration: ``` Computer Configuration > Administrative Templates > Windows PowerShell > Turn on PowerShell Script Block Logging (Enable) ``` Steps to implement the logging policy via registry: ``` reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1 ``` """ severity = "low" tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Tactic: Discovery", "Data Source: PowerShell Logs", "Rule Type: BBR"] timestamp_override = "event.ingested" type = "query" building_block_type = "default" query = ''' event.category:process and host.os.type:windows and powershell.file.script_block_text : ( ( "Get-ADDefaultDomainPasswordPolicy" or "Get-ADDomain" or "Get-ComputerInfo" or "Get-Disk" or "Get-DnsClientCache" or "Get-GPOReport" or "Get-HotFix" or "Get-LocalUser" or "Get-NetFirewallProfile" or "get-nettcpconnection" or "Get-NetAdapter" or "Get-PhysicalDisk" or "Get-Process" or "Get-PSDrive" or "Get-Service" or "Get-SmbShare" or "Get-WinEvent" ) or ( ("Get-WmiObject" or "gwmi" or "Get-CimInstance" or "gcim" or "Management.ManagementObjectSearcher" or "System.Management.ManagementClass" or "[WmiClass]") and ( "AntiVirusProduct" or "CIM_BIOSElement" or "CIM_ComputerSystem" or "CIM_Product" or "CIM_DiskDrive" or "CIM_LogicalDisk" or "CIM_NetworkAdapter" or "CIM_StorageVolume" or "CIM_OperatingSystem" or "CIM_Process" or "CIM_Service" or "MSFT_DNSClientCache" or "Win32_BIOS" or "Win32_ComputerSystem" or "Win32_ComputerSystemProduct" or "Win32_DiskDrive" or "win32_environment" or "Win32_Group" or "Win32_groupuser" or "Win32_IP4RouteTable" or "Win32_logicaldisk" or "Win32_MappedLogicalDisk" or "Win32_NetworkAdapterConfiguration" or "win32_ntdomain" or "Win32_OperatingSystem" or "Win32_PnPEntity" or "Win32_Process" or "Win32_Product" or "Win32_quickfixengineering" or "win32_service" or "Win32_Share" or "Win32_UserAccount" ) ) or ( ("ADSI" and "WinNT") or ("Get-ChildItem" and "sysmondrv.sys") or ("::GetIPGlobalProperties()" and "GetActiveTcpConnections()") or ("ServiceProcess.ServiceController" and "::GetServices") or ("Diagnostics.Process" and "::GetProcesses") or ("DirectoryServices.Protocols.GroupPolicy" and ".GetGPOReport()") or ("DirectoryServices.AccountManagement" and "PrincipalSearcher") or ("NetFwTypeLib.NetFwMgr" and "CurrentProfile") or ("NetworkInformation.NetworkInterface" and "GetAllNetworkInterfaces") or ("Automation.PSDriveInfo") or ("Microsoft.Win32.RegistryHive") ) or ( "Get-ItemProperty" and ( "\Control\SecurityProviders\WDigest" or "\microsoft\windows\currentversion\explorer\runmru" or "\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters" or "\Microsoft\Windows\CurrentVersion\Uninstall" or "\Microsoft\Windows\WindowsUpdate" or "Policies\Microsoft\Windows\Installer" or "Software\Microsoft\Windows\CurrentVersion\Policies" or ("\Services\SharedAccess\Parameters\FirewallPolicy" and "EnableFirewall") or ("Microsoft\Windows\CurrentVersion\Internet Settings" and "proxyEnable") ) ) or ( ("Directoryservices.Activedirectory" or "DirectoryServices.AccountManagement") and ( "Domain Admins" or "DomainControllers" or "FindAllGlobalCatalogs" or "GetAllTrustRelationships" or "GetCurrentDomain" or "GetCurrentForest" ) or "DirectoryServices.DirectorySearcher" and ( "samAccountType=805306368" or "samAccountType=805306369" or "objectCategory=group" or "objectCategory=groupPolicyContainer" or "objectCategory=site" or "objectCategory=subnet" or "objectClass=trustedDomain" ) ) or ( "Get-Process" and ( "mcshield" or "windefend" or "savservice" or "TMCCSF" or "symantec antivirus" or "CSFalcon" or "TmPfw" or "kvoop" ) ) ) and not powershell.file.script_block_text : ( ( "__cmdletization_BindCommonParameters" and "Microsoft.PowerShell.Core\Export-ModuleMember" and "Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter" ) or "CmdletsToExport=@(\"Add-Content\"," or ("cmdletization" and "cdxml-Help.xml") ) and not user.id : ("S-1-5-18" or "S-1-5-19" or "S-1-5-20") ''' [[rule.filters]] [rule.filters.meta] negate = true [rule.filters.query.wildcard."file.path"] "case_insensitive" = true "value" = "?:\\\\Program Files\\\\WindowsPowerShell\\\\Modules\\\\*.ps?1" [[rule.filters]] [rule.filters.meta] negate = true [rule.filters.query.wildcard."file.path"] "case_insensitive" = true "value" = "?:\\\\Program Files\\\\Microsoft Azure AD Sync\\\\Extensions\\\\AADConnector.psm1" [[rule.filters]] [rule.filters.meta] negate = true [rule.filters.query.wildcard."file.path"] "case_insensitive" = true "value" = "*ServiceNow MID Server*\\\\agent\\\\scripts\\\\PowerShell\\\\*.psm1" [[rule.filters]] [rule.filters.meta] negate = true [rule.filters.query.wildcard."file.path"] "case_insensitive" = true "value" = "?:\\\\Windows\\\\IMECache\\\\HealthScripts\\\\*\\\\detect.ps1" [[rule.filters]] [rule.filters.meta] negate = true [rule.filters.query.wildcard."file.path"] "case_insensitive" = true "value" = "?:\\\\Windows\\\\TEMP\\\\SDIAG*" [[rule.filters]] [rule.filters.meta] negate = true [rule.filters.query.wildcard."file.path"] "case_insensitive" = true "value" = "?:\\\\Temp\\\\SDIAG*" [[rule.filters]] [rule.filters.meta] negate = true [rule.filters.query.wildcard."file.path"] "case_insensitive" = true "value" = "?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\SDIAG*" [[rule.filters]] [rule.filters.meta] negate = true [rule.filters.query.wildcard."file.path"] "case_insensitive" = true "value" = "?:\\\\Program Files\\\\Microsoft Monitoring Agent\\\\Agent\\\\Health Service State\\\\Monitoring Host Temporary Files*" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1087" name = "Account Discovery" reference = "https://attack.mitre.org/techniques/T1087/" [[rule.threat.technique.subtechnique]] id = "T1087.001" name = "Local Account" reference = "https://attack.mitre.org/techniques/T1087/001/" [[rule.threat.technique.subtechnique]] id = "T1087.002" name = "Domain Account" reference = "https://attack.mitre.org/techniques/T1087/002/" [[rule.threat.technique]] id = "T1482" name = "Domain Trust Discovery" reference = "https://attack.mitre.org/techniques/T1482/" [[rule.threat.technique]] id = "T1082" name = "System Information Discovery" reference = "https://attack.mitre.org/techniques/T1082/" [[rule.threat.technique]] id = "T1083" name = "File and Directory Discovery" reference = "https://attack.mitre.org/techniques/T1083/" [[rule.threat.technique]] id = "T1615" name = "Group Policy Discovery" reference = "https://attack.mitre.org/techniques/T1615/" [[rule.threat.technique]] id = "T1135" name = "Network Share Discovery" reference = "https://attack.mitre.org/techniques/T1135/" [[rule.threat.technique]] id = "T1201" name = "Password Policy Discovery" reference = "https://attack.mitre.org/techniques/T1201/" [[rule.threat.technique]] id = "T1057" name = "Process Discovery" reference = "https://attack.mitre.org/techniques/T1057/" [[rule.threat.technique]] id = "T1518" name = "Software Discovery" reference = "https://attack.mitre.org/techniques/T1518/" [[rule.threat.technique.subtechnique]] id = "T1518.001" name = "Security Software Discovery" reference = "https://attack.mitre.org/techniques/T1518/001/" [[rule.threat.technique]] id = "T1012" name = "Query Registry" reference = "https://attack.mitre.org/techniques/T1012/" [[rule.threat.technique]] id = "T1082" name = "System Information Discovery" reference = "https://attack.mitre.org/techniques/T1082/" [[rule.threat.technique]] id = "T1049" name = "System Network Connections Discovery" reference = "https://attack.mitre.org/techniques/T1049/" [[rule.threat.technique]] id = "T1007" name = "System Service Discovery" reference = "https://attack.mitre.org/techniques/T1007/" [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/"