PowerShell Get-DomainPolicy Usage for Reconnaissance
Adversaries use the PowerShell `Get-DomainPolicy` commandlet to enumerate domain password policies for situational awareness and Active Directory discovery, logged via PowerShell Script Block Logging.
Attackers and red teams use PowerShell to enumerate domain policies for situational awareness and Active Directory discovery. This involves using the Get-DomainPolicy commandlet to obtain password policies. This command is logged when PowerShell Script Block Logging (EventCode=4104) is enabled. Identifying this command's execution can help detect reconnaissance activities within a Windows domain. The activity is useful for attackers to understand password complexity requirements and other domain security settings. The scope is limited to systems where PowerShell Script Block Logging is enabled, typically within organizations that prioritize security monitoring.
Attack Chain
- An attacker gains initial access to a compromised host within the target network.
- The attacker executes PowerShell with the intention of gathering domain information.
- The attacker uses the
Get-DomainPolicycommandlet to query the current domain password policy. - PowerShell Script Block Logging captures the execution of the
Get-DomainPolicycommand (EventCode 4104). - The attacker parses the output of the command to understand password complexity, account lockout thresholds, and other security settings.
- The attacker uses the gathered information to refine subsequent attack strategies, such as password spraying or brute-force attacks.
- The attacker leverages the discovered information to escalate privileges or move laterally within the domain.
Impact
Successful execution allows attackers to understand the domain's password policies, aiding in privilege escalation and lateral movement. It serves as a reconnaissance step, often preceding more damaging activities. If successful, attackers can craft more effective attacks tailored to bypass existing security measures. While no specific number of victims is mentioned, any organization using Active Directory is potentially at risk.
Recommendation
- Enable PowerShell Script Block Logging (EventCode 4104) on all endpoints to capture the execution of PowerShell commands, which is required for the provided detections.
- Deploy the Sigma rule
Detect Get-DomainPolicy with Powershell Script Blockto identify instances of theGet-DomainPolicycommandlet being used. - Investigate any detected instances of
Get-DomainPolicyexecution, especially those originating from unusual or unauthorized systems based on the logs.
Detection coverage 2
Detect Get-DomainPolicy with Powershell Script Block
mediumDetects the execution of the Get-DomainPolicy commandlet within PowerShell script block logs, indicating potential Active Directory discovery.
Detect Get-DomainPolicy with Powershell Script Block Logging
mediumDetects the execution of Get-DomainPolicy using Powershell Script Block Logging (EventCode=4104)
Detection queries are available on the platform. Get full rules →