New

The executive guide to generative AI

Read more

PowerShell Suspicious Discovery Related Windows API Functions

edit

PowerShell Suspicious Discovery Related Windows API Functions

edit

This rule detects the use of discovery-related Windows API functions in PowerShell Scripts. Attackers can use these functions to perform various situational awareness related activities, like enumerating users, shares, sessions, domain trusts, groups, etc.

Rule type: query

Rule indices:

  • winlogbeat-*
  • logs-windows.*

Severity: medium

Risk score: 47

Runs every: 5m

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Elastic
  • Host
  • Windows
  • Threat Detection
  • Discovery

Version: 2

Rule authors:

  • Elastic

Rule license: Elastic License v2

Rule query

edit
event.category:process and
  powershell.file.script_block_text : (
    NetShareEnum or
    NetWkstaUserEnum or
    NetSessionEnum or
    NetLocalGroupEnum or
    NetLocalGroupGetMembers or
    DsGetSiteName or
    DsEnumerateDomainTrusts or
    WTSEnumerateSessionsEx or
    WTSQuerySessionInformation or
    LsaGetLogonSessionData or
    QueryServiceObjectSecurity
  )

Framework: MITRE ATT&CKTM

On this page

Was this helpful?
Feedback