rules/windows/powershell/powershell_script/posh_ps_adrecon_execution.yml

title: PowerShell ADRecon Execution
id: bf72941a-cba0-41ea-b18c-9aca3925690d
status: test
description: Detects execution of ADRecon.ps1 for AD reconnaissance which has been reported to be actively used by FIN7
references:
    - https://github.com/sense-of-security/ADRecon/blob/11881a24e9c8b207f31b56846809ce1fb189bcc9/ADRecon.ps1
    - https://bi-zone.medium.com/from-pentest-to-apt-attack-cybercriminal-group-fin7-disguises-its-malware-as-an-ethical-hackers-c23c9a75e319
author: Bhabesh Raj
date: 2021-07-16
modified: 2022-09-06
tags:
    - attack.discovery
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        ScriptBlockText|contains:
            - 'Function Get-ADRExcelComOb'
            - 'Get-ADRGPO'
            - 'Get-ADRDomainController'
            - 'ADRecon-Report.xlsx' # Default
    condition: selection
falsepositives:
    - Unknown
level: high
Added rule for ADRecon execution 2021-07-16 12:58:47 +05:45			`title: PowerShell ADRecon Execution`
			`id: bf72941a-cba0-41ea-b18c-9aca3925690d`
$frack113$ Merge PR #4479 From @frack113 - Upgrade Rules Status 2023-10-17 14:35:26 +02:00			`status: test`
Update posh_ps_adrecon_execution.yml 2022-09-06 17:19:46 +02:00			`description: Detects execution of ADRecon.ps1 for AD reconnaissance which has been reported to be actively used by FIN7`
Added rule for ADRecon execution 2021-07-16 12:58:47 +05:45			`references:`
Update posh_ps_adrecon_execution.yml 2022-09-06 17:19:46 +02:00			`- https://github.com/sense-of-security/ADRecon/blob/11881a24e9c8b207f31b56846809ce1fb189bcc9/ADRecon.ps1`
Added rule for ADRecon execution 2021-07-16 12:58:47 +05:45			`- https://bi-zone.medium.com/from-pentest-to-apt-attack-cybercriminal-group-fin7-disguises-its-malware-as-an-ethical-hackers-c23c9a75e319`
$frack113$ Order yaml field 2022-10-26 09:43:39 +02:00			`author: Bhabesh Raj`
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes 2024-08-12 12:02:50 +02:00			`date: 2021-07-16`
			`modified: 2022-09-06`
Added rule for ADRecon execution 2021-07-16 12:58:47 +05:45			`tags:`
			`- attack.discovery`
			`- attack.execution`
			`- attack.t1059.001`
			`logsource:`
			`product: windows`
$frack113$ change to category: ps_script 2021-10-16 08:18:49 +02:00			`category: ps_script`
feat: updates and enhancements 2023-01-04 17:49:32 +01:00			`definition: 'Requirements: Script Block Logging must be enabled'`
Added rule for ADRecon execution 2021-07-16 12:58:47 +05:45			`detection:`
			`selection:`
			`ScriptBlockText\|contains:`
			`- 'Function Get-ADRExcelComOb'`
Update posh_ps_adrecon_execution.yml 2022-09-06 17:19:46 +02:00			`- 'Get-ADRGPO'`
			`- 'Get-ADRDomainController'`
Merge PR #4482 From @nasbench - Add New Automation Workflows 2023-10-18 11:53:44 +02:00			`- 'ADRecon-Report.xlsx' # Default`
Added rule for ADRecon execution 2021-07-16 12:58:47 +05:45			`condition: selection`
			`falsepositives:`
			`- Unknown`
increased level 2021-07-17 09:50:11 +02:00			`level: high`