AD Groups Or Users Enumeration Using PowerShell - PoshModule

Severity: low
Author: frack113
Source: upstream

Adversaries may attempt to find domain-level groups and permission settings. The knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as domain administrators.

MITRE ATT&CK coverage

Tactic	Techniques
Discovery	`T1069.001` Permission Groups Discovery: Local Groups

Event coverage

Provider	Event ID	Title
PowerShell	4103	Payload Context: ContextInfo User Data: UserData.

Stages and Predicates

Stage 1: `1 of selection_ad_principal`

or:
ContextInfo|contains: get-ADPrincipalGroupMembership
Payload|contains: get-ADPrincipalGroupMembership

Stage 2: `1 of selection_get_aduser`

or:
ContextInfo|contains: '-f '
ContextInfo|contains: '-pr '
ContextInfo|contains: DoesNotRequirePreAuth
ContextInfo|contains: get-aduser
Payload|contains: '-f '
Payload|contains: '-pr '
Payload|contains: DoesNotRequirePreAuth
Payload|contains: get-aduser

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`ContextInfo`	match	`-f` `-pr` `DoesNotRequirePreAuth` `get-ADPrincipalGroupMembership` `get-aduser`
`Payload`	match	`-f` `-pr` `DoesNotRequirePreAuth` `get-ADPrincipalGroupMembership` `get-aduser`