Get ADUserResultantPasswordPolicy with Powershell Script Block

name: Get ADUserResultantPasswordPolicy with Powershell Script Block
id: 737e1eb0-065a-11ec-921a-acde48001122
version: 10
date: '2026-03-10'
author: Teoderick Contreras, Mauricio Velazco, Splunk
status: production
type: TTP
description: The following analytic detects the execution of the `Get-ADUserResultantPasswordPolicy` PowerShell cmdlet, which is used to obtain the password policy in a Windows domain. It leverages PowerShell Script Block Logging (EventCode=4104) to identify this activity. Monitoring this behavior is significant as it may indicate an attempt to enumerate domain policies, a common tactic used by adversaries for situational awareness and Active Directory discovery. If confirmed malicious, this activity could allow attackers to understand password policies, aiding in further attacks such as password guessing or policy exploitation.
data_source:
    - Powershell Script Block Logging 4104
search: |-
    `powershell` EventCode=4104 ScriptBlockText="*Get-ADUserResultantPasswordPolicy*"
      | fillnull
      | stats count min(_time) as firstTime max(_time) as lastTime
        BY dest signature signature_id
           user_id vendor_product EventID
           Guid Opcode Name
           Path ProcessID ScriptBlockId
           ScriptBlockText
      | `security_content_ctime(firstTime)`
      | `security_content_ctime(lastTime)`
      | `get_aduserresultantpasswordpolicy_with_powershell_script_block_filter`
how_to_implement: The following Hunting analytic requires PowerShell operational logs to be imported. Modify the powershell macro as needed to match the sourcetype or add index. This analytic is specific to 4104, or PowerShell Script Block Logging.
known_false_positives: Administrators or power users may use this command for troubleshooting.
references:
    - https://github.com/S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet
    - https://attack.mitre.org/techniques/T1201/
    - https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-aduserresultantpasswordpolicy?view=windowsserver2019-ps
drilldown_searches:
    - name: View the detection results for - "$dest$" and "$user_id$"
      search: '%original_detection_search% | search  dest = "$dest$" user_id = "$user_id$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for - "$dest$" and "$user_id$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user_id$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
rba:
    message: powershell process having commandline to query domain user password policy detected on host - $dest$.
    risk_objects:
        - field: dest
          type: system
          score: 50
        - field: user_id
          type: user
          score: 50
    threat_objects: []
tags:
    analytic_story:
        - Active Directory Discovery
        - CISA AA23-347A
    asset_type: Endpoint
    mitre_attack_id:
        - T1201
    product:
        - Splunk Enterprise
        - Splunk Enterprise Security
        - Splunk Cloud
    security_domain: endpoint
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/sbl_xml.log
          source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
          sourcetype: XmlWinEventLog