Detection rules › Splunk
Get ADDefaultDomainPasswordPolicy with Powershell Script Block
The following analytic detects the execution of the Get-ADDefaultDomainPasswordPolicy PowerShell cmdlet, which is used to retrieve the password policy in a Windows domain. This detection leverages PowerShell Script Block Logging (EventCode=4104) to identify the specific command execution. Monitoring this activity is significant as it can indicate an attempt to gather domain policy information, which is often a precursor to further malicious actions. If confirmed malicious, this activity could allow an attacker to understand password policies, aiding in password attacks or further domain enumeration.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Discovery | T1201 Password Policy Discovery |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| PowerShell | 4104 | Creating Scriptblock text (MessageNumber of MessageTotal). |
Stages and Predicates
Stage 1: search
search EventCode=4104 ScriptBlockText="*Get-ADDefaultDomainPasswordPolicy*"
Stage 2: fillnull
fillnull
Stage 3: stats
stats BY dest, signature, signature_id, user_id, vendor_product, EventID, Guid, Opcode, Name, Path, ProcessID, ScriptBlockId, ScriptBlockText
Stage 4: search
search
Stage 5: search
search
Stage 6: search
search `macro`
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
EventCode | eq |
|
ScriptBlockText | eq |
|
Neighbors
Broader alternatives (more inclusive than this rule)
These rules match a superset of what this rule catches. They cover the same events plus more. Use them if you want wider coverage and can absorb more false positives.
- Potential PowerShell Obfuscation via Invalid Escape Sequences (drops 2 filters this rule applies)
- Potential PowerShell Obfuscation via Backtick-Escaped Variable Expansion (drops 2 filters this rule applies)
- Potential PowerShell Obfuscation via Character Array Reconstruction (drops 2 filters this rule applies)
- Potential PowerShell Obfuscation via Concatenated Dynamic Command Invocation (drops 2 filters this rule applies)
- Potential PowerShell Obfuscation via High Numeric Character Proportion (drops 2 filters this rule applies)
- Potential Dynamic IEX Reconstruction via Environment Variables (drops 2 filters this rule applies)
- Dynamic IEX Reconstruction via Method String Access (drops 2 filters this rule applies)
- PowerShell Obfuscation via Negative Index String Reversal (drops 2 filters this rule applies)
- Potential PowerShell Obfuscation via Reverse Keywords (drops 2 filters this rule applies)
- Potential PowerShell Obfuscation via String Concatenation (drops 2 filters this rule applies)
- Potential PowerShell Obfuscation via String Reordering (drops 2 filters this rule applies)
- Potential PowerShell Obfuscation via Special Character Overuse (drops 2 filters this rule applies)
- PowerShell 4104 Hunting (drops 1 filter this rule applies)