topic Re: AD Enumeration Powershell in Cortex XDR Discussions

AD Enumeration Powershell

tlmarques — Wed, 26 Mar 2025 12:30:48 GMT

Hi everyone,

I need your help to understand whether it's possible to see which commands users are running in PowerShell—for example, Active Directory enumeration.

I know that Cortex blocks malicious scripts like dumpcreds and BloodHound, but my question is: how can I receive an alert or monitor the execution of commands like "Get-ADUser *" or "Get-ADDomainController" in XQL?

Re: AD Enumeration Powershell

aspatil — Wed, 26 Mar 2025 14:52:05 GMT

Hello @tlmarques ,

You can use below query as a sample and Create BIOC.

dataset = xdr_data
| filter event_type = ENUM.PROCESS
| filter event_sub_type = ENUM.PROCESS_START
| filter actor_process_image_name = "powershell.exe"
| filter actor_process_command_line contains "Get-ADUser"
or actor_process_command_line contains "Get-ADDomainController"
or actor_process_command_line contains "Get-ADComputer"
or actor_process_command_line contains "Get-ADGroup"
| fields _time, agent_hostname, actor_effective_username, actor_process_command_line
| sort desc _time

Once BIOC is created, based on the alert name you can configure the notification.

Please ensure PowerShell Logging in Windows: Ensure PowerShell Script Block Logging is enabled via Group Policy (Event ID 4104 in Windows Event Logs). This will improve visibility.

Cortex XDR Analytics: You can also leverage Behavioral Analytics for abnormal PowerShell usage patterns.

If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution". Thank you.

Re: AD Enumeration Powershell

tlmarques — Wed, 26 Mar 2025 18:18:48 GMT

@aspatil It's required enable the "powershell logging in windows"??

Re: AD Enumeration Powershell

aspatil — Thu, 27 Mar 2025 05:21:52 GMT

Yes, it ensures that we have the required visibility.