A newer version is available. For the latest information, see the
current release documentation.
PowerShell Suspicious Discovery Related Windows API Functions
editPowerShell Suspicious Discovery Related Windows API Functions
editThis rule detects the use of discovery-related Windows API Functions in Powershell Scripts. Attackers can use these functions to perform various situational awareness related activities, like enumerating users, shares, sessions, domain trusts, groups, etc.,
Rule type: query
Rule indices:
- winlogbeat-*
- logs-windows.*
Severity: medium
Risk score: 47
Runs every: 5 minutes
Searches indices from: now-9m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
References:
Tags:
- Elastic
- Host
- Windows
- Threat Detection
- Discovery
Version: 1
Added (Elastic Stack release): 7.16.0
Rule authors: Elastic
Rule license: Elastic License v2
Potential false positives
editLegitimate Powershell Scripts that make use of these Functions
Rule query
editevent.code:"4104" and powershell.file.script_block_text : ( NetShareEnum or NetWkstaUserEnum or NetSessionEnum or NetLocalGroupEnum or NetLocalGroupGetMembers or DsGetSiteName or DsEnumerateDomainTrusts or WTSEnumerateSessionsEx or WTSQuerySessionInformation or LsaGetLogonSessionData or QueryServiceObjectSecurity )
Threat mapping
editFramework: MITRE ATT&CKTM
-
Tactic:
- Name: Discovery
- ID: TA0007
- Reference URL: https://attack.mitre.org/tactics/TA0007/
-
Technique:
- Name: Network Share Discovery
- ID: T1135
- Reference URL: https://attack.mitre.org/techniques/T1135/
-
Tactic:
- Name: Execution
- ID: TA0002
- Reference URL: https://attack.mitre.org/tactics/TA0002/
-
Technique:
- Name: Command and Scripting Interpreter
- ID: T1059
- Reference URL: https://attack.mitre.org/techniques/T1059/