[metadata] creation_date = "2023/07/06" integration = ["windows"] maturity = "production" updated_date = "2025/03/20" [rule] author = ["Elastic"] building_block_type = "default" description = """ Identifies the use of Cmdlets and methods related to discovery activities. Attackers can use these to perform various situational awareness related activities, like enumerating users, shares, sessions, domain trusts, groups, etc. """ from = "now-119m" index = ["winlogbeat-*", "logs-windows.powershell*"] interval = "60m" language = "kuery" license = "Elastic License v2" name = "PowerShell Script with Discovery Capabilities" risk_score = 21 rule_id = "1e0a3f7c-21e7-4bb1-98c7-2036612fb1be" setup = """## Setup The 'PowerShell Script Block Logging' logging policy must be enabled. Steps to implement the logging policy with Advanced Audit Configuration: ``` Computer Configuration > Administrative Templates > Windows PowerShell > Turn on PowerShell Script Block Logging (Enable) ``` Steps to implement the logging policy via registry: ``` reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1 ``` """ severity = "low" tags = [ "Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Collection", "Tactic: Discovery", "Data Source: PowerShell Logs", "Rule Type: BBR", ] timestamp_override = "event.ingested" type = "query" query = ''' event.category:process and host.os.type:windows and powershell.file.script_block_text : ( ( "Get-ADDefaultDomainPasswordPolicy" or "Get-ADDomain" or "Get-ComputerInfo" or "Get-Disk" or "Get-DnsClientCache" or "Get-GPOReport" or "Get-HotFix" or "Get-LocalUser" or "Get-NetFirewallProfile" or "get-nettcpconnection" or "Get-NetAdapter" or "Get-PhysicalDisk" or "Get-Process" or "Get-PSDrive" or "Get-Service" or "Get-SmbShare" or "Get-WinEvent" ) or ( ("Get-WmiObject" or "gwmi" or "Get-CimInstance" or "gcim" or "Management.ManagementObjectSearcher" or "System.Management.ManagementClass" or "[WmiClass]") and ( "AntiVirusProduct" or "CIM_BIOSElement" or "CIM_ComputerSystem" or "CIM_Product" or "CIM_DiskDrive" or "CIM_LogicalDisk" or "CIM_NetworkAdapter" or "CIM_StorageVolume" or "CIM_OperatingSystem" or "CIM_Process" or "CIM_Service" or "MSFT_DNSClientCache" or "Win32_BIOS" or "Win32_ComputerSystem" or "Win32_ComputerSystemProduct" or "Win32_DiskDrive" or "win32_environment" or "Win32_Group" or "Win32_groupuser" or "Win32_IP4RouteTable" or "Win32_logicaldisk" or "Win32_MappedLogicalDisk" or "Win32_NetworkAdapterConfiguration" or "win32_ntdomain" or "Win32_OperatingSystem" or "Win32_PnPEntity" or "Win32_Process" or "Win32_Product" or "Win32_quickfixengineering" or "win32_service" or "Win32_Share" or "Win32_UserAccount" ) ) or ( ("ADSI" and "WinNT") or ("Get-ChildItem" and "sysmondrv.sys") or ("::GetIPGlobalProperties()" and "GetActiveTcpConnections()") or ("ServiceProcess.ServiceController" and "::GetServices") or ("Diagnostics.Process" and "::GetProcesses") or ("DirectoryServices.Protocols.GroupPolicy" and ".GetGPOReport()") or ("DirectoryServices.AccountManagement" and "PrincipalSearcher") or ("NetFwTypeLib.NetFwMgr" and "CurrentProfile") or ("NetworkInformation.NetworkInterface" and "GetAllNetworkInterfaces") or ("Automation.PSDriveInfo") or ("Microsoft.Win32.RegistryHive") ) or ( "Get-ItemProperty" and ( "\Control\SecurityProviders\WDigest" or "\microsoft\windows\currentversion\explorer\runmru" or "\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters" or "\Microsoft\Windows\CurrentVersion\Uninstall" or "\Microsoft\Windows\WindowsUpdate" or "Policies\Microsoft\Windows\Installer" or "Software\Microsoft\Windows\CurrentVersion\Policies" or ("\Services\SharedAccess\Parameters\FirewallPolicy" and "EnableFirewall") or ("Microsoft\Windows\CurrentVersion\Internet Settings" and "proxyEnable") ) ) or ( ("Directoryservices.Activedirectory" or "DirectoryServices.AccountManagement") and ( "Domain Admins" or "DomainControllers" or "FindAllGlobalCatalogs" or "GetAllTrustRelationships" or "GetCurrentDomain" or "GetCurrentForest" ) or "DirectoryServices.DirectorySearcher" and ( "samAccountType=805306368" or "samAccountType=805306369" or "objectCategory=group" or "objectCategory=groupPolicyContainer" or "objectCategory=site" or "objectCategory=subnet" or "objectClass=trustedDomain" ) ) or ( "Get-Process" and ( "mcshield" or "windefend" or "savservice" or "TMCCSF" or "symantec antivirus" or "CSFalcon" or "TmPfw" or "kvoop" ) ) ) and not powershell.file.script_block_text : ( ( "__cmdletization_BindCommonParameters" and "Microsoft.PowerShell.Core\Export-ModuleMember" and "Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter" ) or "CmdletsToExport=@(\"Add-Content\"," or ("cmdletization" and "cdxml-Help.xml") ) and not user.id : ("S-1-5-18" or "S-1-5-19" or "S-1-5-20") ''' [[rule.filters]] [rule.filters.meta] negate = true [rule.filters.query.wildcard."file.path"] case_insensitive = true value = "?:\\\\Program Files\\\\WindowsPowerShell\\\\Modules\\\\*.ps?1" [[rule.filters]] [rule.filters.meta] negate = true [rule.filters.query.wildcard."file.path"] case_insensitive = true value = "?:\\\\Program Files\\\\Microsoft Azure AD Sync\\\\Extensions\\\\AADConnector.psm1" [[rule.filters]] [rule.filters.meta] negate = true [rule.filters.query.wildcard."file.path"] case_insensitive = true value = "*ServiceNow MID Server*\\\\agent\\\\scripts\\\\PowerShell\\\\*.psm1" [[rule.filters]] [rule.filters.meta] negate = true [rule.filters.query.wildcard."file.path"] case_insensitive = true value = "?:\\\\Windows\\\\IMECache\\\\HealthScripts\\\\*\\\\detect.ps1" [[rule.filters]] [rule.filters.meta] negate = true [rule.filters.query.wildcard."file.path"] case_insensitive = true value = "?:\\\\Windows\\\\TEMP\\\\SDIAG*" [[rule.filters]] [rule.filters.meta] negate = true [rule.filters.query.wildcard."file.path"] case_insensitive = true value = "?:\\\\Temp\\\\SDIAG*" [[rule.filters]] [rule.filters.meta] negate = true [rule.filters.query.wildcard."file.path"] case_insensitive = true value = "?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\SDIAG*" [[rule.filters]] [rule.filters.meta] negate = true [rule.filters.query.wildcard."file.path"] case_insensitive = true value = "?:\\\\Program Files\\\\Microsoft Monitoring Agent\\\\Agent\\\\Health Service State\\\\Monitoring Host Temporary Files*" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1007" name = "System Service Discovery" reference = "https://attack.mitre.org/techniques/T1007/" [[rule.threat.technique]] id = "T1012" name = "Query Registry" reference = "https://attack.mitre.org/techniques/T1012/" [[rule.threat.technique]] id = "T1049" name = "System Network Connections Discovery" reference = "https://attack.mitre.org/techniques/T1049/" [[rule.threat.technique]] id = "T1057" name = "Process Discovery" reference = "https://attack.mitre.org/techniques/T1057/" [[rule.threat.technique]] id = "T1082" name = "System Information Discovery" reference = "https://attack.mitre.org/techniques/T1082/" [[rule.threat.technique]] id = "T1082" name = "System Information Discovery" reference = "https://attack.mitre.org/techniques/T1082/" [[rule.threat.technique]] id = "T1083" name = "File and Directory Discovery" reference = "https://attack.mitre.org/techniques/T1083/" [[rule.threat.technique]] id = "T1087" name = "Account Discovery" reference = "https://attack.mitre.org/techniques/T1087/" [[rule.threat.technique.subtechnique]] id = "T1087.001" name = "Local Account" reference = "https://attack.mitre.org/techniques/T1087/001/" [[rule.threat.technique.subtechnique]] id = "T1087.002" name = "Domain Account" reference = "https://attack.mitre.org/techniques/T1087/002/" [[rule.threat.technique]] id = "T1135" name = "Network Share Discovery" reference = "https://attack.mitre.org/techniques/T1135/" [[rule.threat.technique]] id = "T1201" name = "Password Policy Discovery" reference = "https://attack.mitre.org/techniques/T1201/" [[rule.threat.technique]] id = "T1482" name = "Domain Trust Discovery" reference = "https://attack.mitre.org/techniques/T1482/" [[rule.threat.technique]] id = "T1518" name = "Software Discovery" reference = "https://attack.mitre.org/techniques/T1518/" [[rule.threat.technique.subtechnique]] id = "T1518.001" name = "Security Software Discovery" reference = "https://attack.mitre.org/techniques/T1518/001/" [[rule.threat.technique]] id = "T1615" name = "Group Policy Discovery" reference = "https://attack.mitre.org/techniques/T1615/" [rule.threat.tactic] id = "TA0007" name = "Discovery" reference = "https://attack.mitre.org/tactics/TA0007/" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/"