Detection: GetDomainGroup with PowerShell Script Block

Updated Date: 2026-05-13 ID: 09725404-a44f-4ed3-9efa-8ed5d69e4c53 Author: Mauricio Velazco, Splunk Type: TTP Product: Splunk Enterprise Security

Description

The following analytic detects the execution of the Get-DomainGroup cmdlet using PowerShell Script Block Logging (EventCode=4104). This cmdlet, part of the PowerView tool, is used to enumerate domain groups within a Windows domain. The detection leverages script block text to identify this specific command. Monitoring this activity is crucial as it may indicate an adversary or Red Team performing reconnaissance to gain situational awareness and map out Active Directory structures. If confirmed malicious, this activity could lead to further exploitation, including privilege escalation and lateral movement within the network.

Search

 1`powershell` EventCode=4104 (ScriptBlockText = "*Get-DomainGroup*")
 2  
 3| fillnull
 4  
 5| stats count min(_time) as firstTime max(_time) as lastTime
 6    BY dest signature signature_id
 7       user_id vendor_product EventID
 8       Guid Opcode Name
 9       Path ProcessID ScriptBlockId
10       ScriptBlockText
11  
12| `security_content_ctime(firstTime)`
13  
14| `security_content_ctime(lastTime)`
15  
16| `getdomaingroup_with_powershell_script_block_filter`

Data Source

Name	Platform	Sourcetype	Source
Powershell Script Block Logging 4104	Windows	`'XmlWinEventLog'`	`'XmlWinEventLog:Microsoft-Windows-PowerShell/Operational'`

Macros Used

Name	Value
security_content_ctime	`convert timeformat="%Y-%m-%dT%H:%M:%S" ctime($field$)`
getdomaingroup_with_powershell_script_block_filter	`search *`

getdomaingroup_with_powershell_script_block_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Annotations

- MITRE ATT&CK

+ Kill Chain Phases

+ NIST

+ CIS

- Threat Actors

ID	Technique	Tactic
T1069.002	Domain Groups	Discovery

Exploitation

DE.CM

CIS 10

Default Configuration

This detection is configured by default in Splunk Enterprise Security to run with the following settings:

Setting	Value
Disabled	true
Cron Schedule	`0 * * * *`
Earliest Time	`-70m@m`
Latest Time	`-10m@m`
Schedule Window	`auto`
Creates Finding (Notable)	Yes
Rule Title	`%name%`
Rule Description	`%description%`
Notable Event Fields	user, dest
Creates Intermediate Finding (Risk Event)	No

TTP detections generate a Finding (Notable) and may generate Intermediate Findings (Risk Events) for associated entities.

Implementation

To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://help.splunk.com/en/security-offerings/splunk-user-behavior-analytics/get-data-in/5.4.1/add-other-data-to-splunk-uba/configure-powershell-logging-to-see-powershell-anomalies-in-splunk-uba.

Known False Positives

Administrators or power users may use this PowerView functions for troubleshooting.

Associated Analytic Story

Active Directory Discovery

Finding

Title	Entity Field	Entity Type	Risk Score
Domain group discovery enumeration using PowerView on $dest$ by $user_id$	dest	system	50

References

Detection Testing

Test Type	Status	Dataset	Source	Sourcetype
Validation	✅ Passing	N/A	N/A	N/A
Unit	✅ Passing	Dataset	`XmlWinEventLog:Microsoft-Windows-PowerShell/Operational`	`XmlWinEventLog`
Integration	✅ Passing	Dataset	`XmlWinEventLog:Microsoft-Windows-PowerShell/Operational`	`XmlWinEventLog`

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

Source: GitHub | Version: 13