Computer Discovery And Export Via Get-ADComputer Cmdlet - PowerShell
Detects usage of the Get-ADComputer cmdlet to collect computer information and output it to a file
Sigma rule (View on GitHub)
1title: Computer Discovery And Export Via Get-ADComputer Cmdlet - PowerShell
2id: db885529-903f-4c5d-9864-28fe199e6370
3related:
4 - id: 435e10e4-992a-4281-96f3-38b11106adde
5 type: similar
6status: test
7description: Detects usage of the Get-ADComputer cmdlet to collect computer information and output it to a file
8references:
9 - http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html
10 - https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/
11 - https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf
12author: Nasreddine Bencherchali (Nextron Systems)
13date: 2022-11-17
14tags:
15 - attack.discovery
16 - attack.t1033
17logsource:
18 product: windows
19 category: ps_script
20 definition: 'Requirements: Script Block Logging must be enabled'
21detection:
22 selection:
23 ScriptBlockText|contains|all:
24 - 'Get-ADComputer '
25 - ' -Filter \*'
26 ScriptBlockText|contains:
27 - ' | Select '
28 - 'Out-File'
29 - 'Set-Content'
30 - 'Add-Content'
31 condition: selection
32falsepositives:
33 - Legitimate admin scripts may use the same technique, it's better to exclude specific computers or users who execute these commands or scripts often
34level: medium
References
Related rules
- Cisco Discovery
- Computer Discovery And Export Via Get-ADComputer Cmdlet
- Enumerate All Information With Whoami.EXE
- Get-ADUser Enumeration Using UserAccountControl Flags
- Group Membership Reconnaissance Via Whoami.EXE