From 62611e0e39f094147e9c6d7540245b5b96ee4b78 Mon Sep 17 00:00:00 2001
From: frack113 <62423083+frack113@users.noreply.github.com>
Date: Sun, 6 Feb 2022 11:15:00 +0100
Subject: [PATCH 1/2] add posh_ps_get_adreplaccount

---
 .../posh_ps_get_adreplaccount.yml             | 28 +++++++++++++++++++
 1 file changed, 28 insertions(+)
 create mode 100644 rules/windows/powershell/powershell_script/posh_ps_get_adreplaccount.yml

diff --git a/rules/windows/powershell/powershell_script/posh_ps_get_adreplaccount.yml b/rules/windows/powershell/powershell_script/posh_ps_get_adreplaccount.yml
new file mode 100644
index 000000000..978e75bf6
--- /dev/null
+++ b/rules/windows/powershell/powershell_script/posh_ps_get_adreplaccount.yml
@@ -0,0 +1,28 @@
+title: Suspicious Get-ADReplAccount
+id: 060c3ef1-fd0a-4091-bf46-e7d625f60b73
+status: experimental
+description: 
+  The DSInternals PowerShell Module exposes several internal features of Active Directory and Azure Active Directory.
+  These include FIDO2 and NGC key auditing, offline ntds.dit file manipulation, password auditing, DC recovery from IFM backups and password hash calculation. 
+date: 2022/02/06
+author: frack113
+references:
+    - https://www.powershellgallery.com/packages/DSInternals
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.006/T1003.006.md#atomic-test-2---run-dsinternals-get-adreplaccount
+logsource:
+    product: windows
+    category: ps_script
+    definition: Script block logging must be enabled
+detection:
+    selection:
+        ScriptBlockText|contains|all: 
+            - Get-ADReplAccount
+            - '-All '
+            - '-Server '
+    condition: selection
+falsepositives:
+    - Legitimate PowerShell scripts
+level: low
+tags:
+    - attack.credential_access
+    - attack.t1003.006

From 97dacc4ffc3fd96341c9e65a8fa238bc313bc2f7 Mon Sep 17 00:00:00 2001
From: Florian Roth <venom14@gmail.com>
Date: Sun, 6 Feb 2022 14:17:38 +0100
Subject: [PATCH 2/2] refactor: increased level to medium

---
 .../powershell/powershell_script/posh_ps_get_adreplaccount.yml  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/windows/powershell/powershell_script/posh_ps_get_adreplaccount.yml b/rules/windows/powershell/powershell_script/posh_ps_get_adreplaccount.yml
index 978e75bf6..2518b05ed 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_get_adreplaccount.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_get_adreplaccount.yml
@@ -22,7 +22,7 @@ detection:
     condition: selection
 falsepositives:
     - Legitimate PowerShell scripts
-level: low
+level: medium
 tags:
     - attack.credential_access
     - attack.t1003.006