EXPLORE
Sign In
← Back to Explore
splunk_escuHunting

Get ADUser with PowerShell Script Block

The following analytic detects the execution of the `Get-AdUser` PowerShell cmdlet, which is used to enumerate all domain users. It leverages PowerShell Script Block Logging (EventCode=4104) to identify instances where this command is executed with a filter. This activity is significant as it may indicate an attempt by adversaries or Red Teams to gather information about domain users for situational awareness and Active Directory discovery. If confirmed malicious, this behavior could lead to further reconnaissance and potential exploitation of user accounts within the domain.

MITRE ATT&CK

T1087.002

Detection Query

`powershell` EventCode=4104 ScriptBlockText = "*get-aduser*" ScriptBlockText = "*-filter*"
  | fillnull
  | stats count min(_time) as firstTime max(_time) as lastTime
    BY dest signature signature_id
       user_id vendor_product EventID
       Guid Opcode Name
       Path ProcessID ScriptBlockId
       ScriptBlockText
  | `security_content_ctime(firstTime)`
  | `security_content_ctime(lastTime)`
  | `get_aduser_with_powershell_script_block_filter`

Author

Teoderick Contreras, Mauricio Velazco, Splunk

Created

2026-02-25

Data Sources

Powershell Script Block Logging 4104

References

Tags

Active Directory DiscoveryCISA AA23-347A
Raw Content
name: Get ADUser with PowerShell Script Block
id: 21432e40-04f4-11ec-b7e6-acde48001122
version: 9
date: '2026-02-25'
author: Teoderick Contreras, Mauricio Velazco, Splunk
status: production
type: Hunting
description: The following analytic detects the execution of the `Get-AdUser` PowerShell cmdlet, which is used to enumerate all domain users. It leverages PowerShell Script Block Logging (EventCode=4104) to identify instances where this command is executed with a filter. This activity is significant as it may indicate an attempt by adversaries or Red Teams to gather information about domain users for situational awareness and Active Directory discovery. If confirmed malicious, this behavior could lead to further reconnaissance and potential exploitation of user accounts within the domain.
data_source:
    - Powershell Script Block Logging 4104
search: |-
    `powershell` EventCode=4104 ScriptBlockText = "*get-aduser*" ScriptBlockText = "*-filter*"
      | fillnull
      | stats count min(_time) as firstTime max(_time) as lastTime
        BY dest signature signature_id
           user_id vendor_product EventID
           Guid Opcode Name
           Path ProcessID ScriptBlockId
           ScriptBlockText
      | `security_content_ctime(firstTime)`
      | `security_content_ctime(lastTime)`
      | `get_aduser_with_powershell_script_block_filter`
how_to_implement: The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging.
known_false_positives: Administrators or power users may use this command for troubleshooting.
references:
    - https://www.blackhillsinfosec.com/red-blue-purple/
    - https://attack.mitre.org/techniques/T1087/002/
    - https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-aduser?view=windowsserver2019-ps
tags:
    analytic_story:
        - Active Directory Discovery
        - CISA AA23-347A
    asset_type: Endpoint
    mitre_attack_id:
        - T1087.002
    product:
        - Splunk Enterprise
        - Splunk Enterprise Security
        - Splunk Cloud
    security_domain: endpoint
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1087.002/AD_discovery/aduser_powershell.log
          source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
          sourcetype: XmlWinEventLog