← Back to Explore
splunk_escuHunting
GetCurrent User with PowerShell Script Block
The following analytic detects the execution of the `GetCurrent` method from the WindowsIdentity .NET class using PowerShell Script Block Logging (EventCode=4104). This method identifies the current Windows user. The detection leverages PowerShell script block logs to identify when this method is called. This activity is significant because adversaries and Red Teams may use it to gain situational awareness and perform Active Directory discovery on compromised endpoints. If confirmed malicious, this could allow attackers to map out user accounts and potentially escalate privileges or move laterally within the network.
MITRE ATT&CK
Detection Query
`powershell` EventCode=4104 ScriptBlockText = "*[System.Security.Principal.WindowsIdentity]*" ScriptBlockText = "*GetCurrent()*"
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime
BY dest signature signature_id
user_id vendor_product EventID
Guid Opcode Name
Path ProcessID ScriptBlockId
ScriptBlockText
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `getcurrent_user_with_powershell_script_block_filter`Author
Mauricio Velazco, Splunk
Created
2026-02-25
Data Sources
Powershell Script Block Logging 4104
References
Tags
Active Directory Discovery
Raw Content
name: GetCurrent User with PowerShell Script Block
id: 80879283-c30f-44f7-8471-d1381f6d437a
version: 9
date: '2026-02-25'
author: Mauricio Velazco, Splunk
status: production
type: Hunting
description: The following analytic detects the execution of the `GetCurrent` method from the WindowsIdentity .NET class using PowerShell Script Block Logging (EventCode=4104). This method identifies the current Windows user. The detection leverages PowerShell script block logs to identify when this method is called. This activity is significant because adversaries and Red Teams may use it to gain situational awareness and perform Active Directory discovery on compromised endpoints. If confirmed malicious, this could allow attackers to map out user accounts and potentially escalate privileges or move laterally within the network.
data_source:
- Powershell Script Block Logging 4104
search: |-
`powershell` EventCode=4104 ScriptBlockText = "*[System.Security.Principal.WindowsIdentity]*" ScriptBlockText = "*GetCurrent()*"
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime
BY dest signature signature_id
user_id vendor_product EventID
Guid Opcode Name
Path ProcessID ScriptBlockId
ScriptBlockText
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `getcurrent_user_with_powershell_script_block_filter`
how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://help.splunk.com/en/security-offerings/splunk-user-behavior-analytics/get-data-in/5.4.1/add-other-data-to-splunk-uba/configure-powershell-logging-to-see-powershell-anomalies-in-splunk-uba.
known_false_positives: Administrators or power users may use this PowerShell commandlet for troubleshooting.
references:
- https://attack.mitre.org/techniques/T1033/
- https://docs.microsoft.com/en-us/dotnet/api/system.security.principal.windowsidentity.getcurrent?view=net-6.0&viewFallbackFrom=net-5.0
tags:
analytic_story:
- Active Directory Discovery
asset_type: Endpoint
mitre_attack_id:
- T1033
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
security_domain: endpoint
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1033/AD_discovery/windows-powershell-xml.log
source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
sourcetype: XmlWinEventLog