IMPORTANT: No additional bug fixes or documentation updates
will be released for this version. For the latest information, see the
current release documentation.
PowerShell Suspicious Discovery Related Windows API Functions
editPowerShell Suspicious Discovery Related Windows API Functions
editThis rule detects the use of discovery-related Windows API functions in PowerShell Scripts. Attackers can use these functions to perform various situational awareness related activities, like enumerating users, shares, sessions, domain trusts, groups, etc.
Rule type: query
Rule indices:
- winlogbeat-*
- logs-windows.*
Severity: medium
Risk score: 47
Runs every: 5m
Searches indices from: now-9m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
References:
Tags:
- Elastic
- Host
- Windows
- Threat Detection
- Discovery
Version: 2
Rule authors:
- Elastic
Rule license: Elastic License v2
Rule query
editevent.category:process and powershell.file.script_block_text : ( NetShareEnum or NetWkstaUserEnum or NetSessionEnum or NetLocalGroupEnum or NetLocalGroupGetMembers or DsGetSiteName or DsEnumerateDomainTrusts or WTSEnumerateSessionsEx or WTSQuerySessionInformation or LsaGetLogonSessionData or QueryServiceObjectSecurity )
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Discovery
- ID: TA0007
- Reference URL: https://attack.mitre.org/tactics/TA0007/
-
Technique:
- Name: Network Share Discovery
- ID: T1135
- Reference URL: https://attack.mitre.org/techniques/T1135/
-
Technique:
- Name: Permission Groups Discovery
- ID: T1069
- Reference URL: https://attack.mitre.org/techniques/T1069/
-
Sub-technique:
- Name: Local Groups
- ID: T1069.001
- Reference URL: https://attack.mitre.org/techniques/T1069/001/
-
Tactic:
- Name: Execution
- ID: TA0002
- Reference URL: https://attack.mitre.org/tactics/TA0002/
-
Technique:
- Name: Command and Scripting Interpreter
- ID: T1059
- Reference URL: https://attack.mitre.org/techniques/T1059/
-
Sub-technique:
- Name: PowerShell
- ID: T1059.001
- Reference URL: https://attack.mitre.org/techniques/T1059/001/
-
Technique:
- Name: Native API
- ID: T1106
- Reference URL: https://attack.mitre.org/techniques/T1106/