EXPLORE
Sign In
← Back to Explore
sigmamediumHunting

Suspicious Get-ADReplAccount

The DSInternals PowerShell Module exposes several internal features of Active Directory and Azure Active Directory. These include FIDO2 and NGC key auditing, offline ntds.dit file manipulation, password auditing, DC recovery from IFM backups and password hash calculation.

MITRE ATT&CK

T1003.006
credential-access

Detection Query

selection:
  ScriptBlockText|contains|all:
    - Get-ADReplAccount
    - "-All "
    - "-Server "
condition: selection

Author

frack113

Created

2022-02-06

Data Sources

windowsps_script

Platforms

windows

References

Tags

attack.credential-accessattack.t1003.006
Raw Content
title: Suspicious Get-ADReplAccount
id: 060c3ef1-fd0a-4091-bf46-e7d625f60b73
status: test
description: |
    The DSInternals PowerShell Module exposes several internal features of Active Directory and Azure Active Directory.
    These include FIDO2 and NGC key auditing, offline ntds.dit file manipulation, password auditing, DC recovery from IFM backups and password hash calculation.
references:
    - https://www.powershellgallery.com/packages/DSInternals
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.006/T1003.006.md#atomic-test-2---run-dsinternals-get-adreplaccount
author: frack113
date: 2022-02-06
tags:
    - attack.credential-access
    - attack.t1003.006
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        ScriptBlockText|contains|all:
            - Get-ADReplAccount
            - '-All '
            - '-Server '
    condition: selection
falsepositives:
    - Legitimate PowerShell scripts
level: medium