rules/windows/powershell/powershell_script/posh_ps_get_adreplaccount.yml

title: Suspicious Get-ADReplAccount
id: 060c3ef1-fd0a-4091-bf46-e7d625f60b73
status: test
description: |
    The DSInternals PowerShell Module exposes several internal features of Active Directory and Azure Active Directory.
    These include FIDO2 and NGC key auditing, offline ntds.dit file manipulation, password auditing, DC recovery from IFM backups and password hash calculation.
references:
    - https://www.powershellgallery.com/packages/DSInternals
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.006/T1003.006.md#atomic-test-2---run-dsinternals-get-adreplaccount
author: frack113
date: 2022-02-06
tags:
    - attack.credential-access
    - attack.t1003.006
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        ScriptBlockText|contains|all:
            - Get-ADReplAccount
            - '-All '
            - '-Server '
    condition: selection
falsepositives:
    - Legitimate PowerShell scripts
level: medium
$frack113$ add posh_ps_get_adreplaccount 2022-02-06 11:15:00 +01:00			`title: Suspicious Get-ADReplAccount`
			`id: 060c3ef1-fd0a-4091-bf46-e7d625f60b73`
$frack113$ change status to test 2023-01-27 06:48:34 +01:00			`status: test`
Update Ref+Selection 2022-07-11 14:11:53 +01:00			`description: \|`
			`The DSInternals PowerShell Module exposes several internal features of Active Directory and Azure Active Directory.`
			`These include FIDO2 and NGC key auditing, offline ntds.dit file manipulation, password auditing, DC recovery from IFM backups and password hash calculation.`
$frack113$ add posh_ps_get_adreplaccount 2022-02-06 11:15:00 +01:00			`references:`
			`- https://www.powershellgallery.com/packages/DSInternals`
Update Ref+Selection 2022-07-11 14:11:53 +01:00			`- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.006/T1003.006.md#atomic-test-2---run-dsinternals-get-adreplaccount`
$frack113$ Order yaml field 2022-10-26 09:43:39 +02:00			`author: frack113`
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes 2024-08-12 12:02:50 +02:00			`date: 2022-02-06`
$frack113$ Order yaml field 2022-10-26 09:43:39 +02:00			`tags:`
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes 2024-08-12 12:02:50 +02:00			`- attack.credential-access`
$frack113$ Order yaml field 2022-10-26 09:43:39 +02:00			`- attack.t1003.006`
$frack113$ add posh_ps_get_adreplaccount 2022-02-06 11:15:00 +01:00			`logsource:`
			`product: windows`
			`category: ps_script`
feat: updates and enhancements 2023-01-04 17:49:32 +01:00			`definition: 'Requirements: Script Block Logging must be enabled'`
$frack113$ add posh_ps_get_adreplaccount 2022-02-06 11:15:00 +01:00			`detection:`
			`selection:`
Update Ref+Selection 2022-07-11 14:11:53 +01:00			`ScriptBlockText\|contains\|all:`
$frack113$ add posh_ps_get_adreplaccount 2022-02-06 11:15:00 +01:00			`- Get-ADReplAccount`
			`- '-All '`
			`- '-Server '`
			`condition: selection`
			`falsepositives:`
			`- Legitimate PowerShell scripts`
refactor: increased level to medium 2022-02-06 14:17:38 +01:00			`level: medium`