fix: FPs found in different environments

2023-04-20 09:45:47 +02:00
parent 689ef52c66
commit 7f056da95b
5 changed files with 48 additions and 8 deletions
@@ -12,7 +12,7 @@ references:
    - https://adsecurity.org/?p=2277
 author: Bhabesh Raj
 date: 2021/05/18
-modified: 2023/02/06
+modified: 2023/04/20
 tags:
    - attack.execution
    - attack.t1059.001
@@ -51,7 +51,27 @@ detection:
            - 'Get-DFSshare'
            - 'Get-DNSRecord'
            - 'Get-DNSZone'
-            - 'Get-Domain' # Covers Cmdlets like: DomainComputer, DomainController, DomainDFSShare, DomainDNSRecord, DomainGPO...etc.
+            # - 'Get-Domain'  # too many FPs  # Covers Cmdlets like: DomainComputer, DomainController, DomainDFSShare, DomainDNSRecord, DomainGPO, etc.
+            - 'Get-DomainComputer'
+            - 'Get-DomainController'
+            - 'Get-DomainDFSShare'
+            - 'Get-DomainDNSRecord'
+            - 'Get-DomainDNSZone'
+            - 'Get-DomainFileServer'
+            - 'Get-DomainGPO'  # Covers also: Get-DomainGPOComputerLocalGroupMapping, Get-DomainGPOLocalGroup, Get-DomainGPOUserLocalGroupMapping
+            - 'Get-DomainGroup'
+            - 'Get-DomainGroupMember'
+            - 'Get-DomainManagedSecurityGroup'
+            - 'Get-DomainObject'
+            - 'Get-DomainObjectAcl'
+            - 'Get-DomainOU'
+            - 'Get-DomainPolicy'
+            - 'Get-DomainSID'
+            - 'Get-DomainSite'
+            - 'Get-DomainSPNTicket'
+            - 'Get-DomainSubnet'
+            - 'Get-DomainUser'
+            - 'Get-DomainUserEvent'
            - 'Get-Forest' # Covers: Get-ForestDomain, Get-ForestGlobalCatalog, Get-ForestTrust
            - 'Get-IPAddress'
            - 'Get-LastLoggedOn'