security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
ced93a8d170e80984da789df820e07104f2df9bf
blue-team-tools/rules/windows/powershell/powershell_script/posh_ps_get_adreplaccount.yml
T
Nasreddine Bencherchali 598d29f811 Merge PR #4950 from @nasbench - Comply With v2 Spec Changes 
chore: change tags, date, modified fields to comply with v2 of the Sigma spec.
chore: update the related type from `obsoletes` to `obsolete`.
chore: update local json schema to the latest version.
2024-08-12 12:02:50 +02:00

29 lines
1.1 KiB
YAML
Raw Blame History

title: Suspicious Get-ADReplAccount
id: 060c3ef1-fd0a-4091-bf46-e7d625f60b73
status: test
description: |
The DSInternals PowerShell Module exposes several internal features of Active Directory and Azure Active Directory.
These include FIDO2 and NGC key auditing, offline ntds.dit file manipulation, password auditing, DC recovery from IFM backups and password hash calculation.
references:
- https://www.powershellgallery.com/packages/DSInternals
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.006/T1003.006.md#atomic-test-2---run-dsinternals-get-adreplaccount
author: frack113
date: 2022-02-06
tags:
- attack.credential-access
- attack.t1003.006
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains|all:
- Get-ADReplAccount
- '-All '
- '-Server '
condition: selection
falsepositives:
- Legitimate PowerShell scripts
level: medium
Reference in New Issue View Git Blame Copy Permalink