PSGuerrilla

2.2.0

Private/ADMonitor/Detections/Test-ADServiceAccountCreation.ps1

                                # PSGuerrilla - Jim Tyler, Microsoft MVP - CC BY 4.0

# https://github.com/jimrtyler/PSGuerrilla | https://creativecommons.org/licenses/by/4.0/

# AI/LLM use: see AI-USAGE.md for required attribution

function Test-ADServiceAccountCreation {

    [CmdletBinding()]

    param(

        [array]$NewServiceAccounts = @()

    )

    $indicators = [System.Collections.Generic.List[PSCustomObject]]::new()

    if ($NewServiceAccounts.Count -eq 0) { return @() }

    $accountNames = @($NewServiceAccounts | ForEach-Object { $_.SAM })

    $detailStr = "New service account(s): $($accountNames -join ', ')"

    $detectionId = "adServiceAccountCreation_$(($accountNames | Sort-Object) -join '_')"

    $indicators.Add([PSCustomObject]@{

        DetectionId   = $detectionId

        DetectionName = 'New Service Account Created'

        DetectionType = 'adServiceAccountCreation'

        Description   = "SERVICE ACCOUNT CREATION - $($NewServiceAccounts.Count) new service account(s) detected: $detailStr"

        Details       = @{

            Accounts = @($NewServiceAccounts | ForEach-Object {

                @{

                    SAM         = $_.SAM

                    DN          = $_.DN

                    WhenCreated = $_.WhenCreated

                }

            })

        }

        Count         = $NewServiceAccounts.Count

        Score         = 0

        Severity      = ''

    })

    return @($indicators)

}