2022-02-12 15:53:13 +01:00
|
|
|
title: DirectorySearcher Powershell Exploitation
|
|
|
|
|
id: 1f6399cf-2c80-4924-ace1-6fcff3393480
|
2023-01-27 06:48:34 +01:00
|
|
|
status: test
|
2022-02-12 15:53:13 +01:00
|
|
|
description: Enumerates Active Directory to determine computers that are joined to the domain
|
|
|
|
|
references:
|
2022-07-11 14:11:53 +01:00
|
|
|
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md#atomic-test-15---enumerate-domain-computers-within-active-directory-using-directorysearcher
|
2022-02-12 15:53:13 +01:00
|
|
|
author: frack113
|
2024-08-12 12:02:50 +02:00
|
|
|
date: 2022-02-12
|
2022-10-26 09:43:39 +02:00
|
|
|
tags:
|
|
|
|
|
- attack.discovery
|
|
|
|
|
- attack.t1018
|
2022-02-12 15:53:13 +01:00
|
|
|
logsource:
|
|
|
|
|
product: windows
|
|
|
|
|
category: ps_script
|
2023-01-04 17:49:32 +01:00
|
|
|
definition: 'Requirements: Script Block Logging must be enabled'
|
2022-02-12 15:53:13 +01:00
|
|
|
detection:
|
2022-07-11 14:11:53 +01:00
|
|
|
selection:
|
|
|
|
|
ScriptBlockText|contains|all:
|
|
|
|
|
- 'New-Object '
|
|
|
|
|
- 'System.DirectoryServices.DirectorySearcher'
|
|
|
|
|
- '.PropertiesToLoad.Add'
|
|
|
|
|
- '.findall()'
|
|
|
|
|
- 'Properties.name'
|
|
|
|
|
condition: selection
|
2022-02-12 15:53:13 +01:00
|
|
|
falsepositives:
|
|
|
|
|
- Unknown
|
|
|
|
|
level: medium
|
