PowerShell ADRecon Execution

About the rule

Rule Type

Standard

Rule Description

ADRecon is a tool used for Active Directory Reconnaissance that helps gather information about the state of AD within a network. It has been observed that the FIN7 APT group has predominantly used this tool to scan AD environments before launching their attacks. This rule detects the execution of ADRecon.ps1 and flags AD enumeration attempts.

Severity

Trouble

Rule journey

Attack chain scenario

Initial access → Execution → PowerShell script execution → Discovery → Account Discovery

Impact

• Account abuse
• Privilege escalation
• Data tampering

Rule Requirement

Prerequisites

Logon to Group Policy Management Console with administrative privileges and enable Module Logging for Windows PowerShell in the Group Policy Management Editor. Ensure to enter * in the Module Names window to record all modules. Similarly enable PowerShell Script Block Logging for Windows PowerShell. Finally, create a new registry key "Microsoft-Windows-Powershell/Operational" in the directory "Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\".

(((( SCRIPTEXECUTED CONTAINS ""function get-adrexcelcomob"" ) OR ( SCRIPTEXECUTED CONTAINS ""get-adrgpo"" ) OR ( SCRIPTEXECUTED CONTAINS ""get-adrdomaincontroller"" ) OR ( SCRIPTEXECUTED CONTAINS ""adrecon-report.xlsx"" ) )))

This rule is triggered when the executed script contains the following suspicious elements:

• function get-adrexcelcomob: Refers to a function used to generate an Excel report involving AD.
• get-adrgpo: A command used to retrieve AD GPOs.
• get-adrdomaincontroller: A command used to retrieve information about domain controllers.
• adrecon-report.xlsx: An Excel file containing Active Directory reconnaissance data.

Criteria

Detection

Execution Mode

realtime

Log Sources

Active Directory

MITRE ATT&CK

Execution: Command and Scripting Interpreter - PowerShell (T1059.001)

Security Standards

Enabling this rule will help you meet the security standard's requirement listed below:

DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events.

When this rule is triggered, you're notified of a PowerShell script execution involving ADRecon. This enables you to monitor runtime environments like PowerShell, detect attempts to enumerate AD, and identify potential threats to AD.

Author

Bhabesh Raj

Future actions

Known False Positives

This rule might be triggered when red teams use the ADRecon tool to obtain information about the state of AD within a network.

Next Steps

When this rule is triggered, the following measures can be implemented:

1. Identification: Identify if the flagged event is a new incident or part of an existing incident.
2. Analysis: Analyze the impact and extent of the incident to comprehend the severity of the attack using the Incident Workbench.
3. Response: Respond promptly by initiating an automated workflow to interrupt the network connections and cease the malicious process.
4. Audit PowerShell activities: Continuously monitor PowerShell executions, restrict script execution privileges to administrators only, and disable PowerShell on devices where it is not required.

Mitigation