Computer Discovery And Export Via Get-ADComputer Cmdlet - PowerShell

calendar Oct 17, 2023 · attack.discovery attack.t1033  ·
Share on: linkedin copy

Detects usage of the Get-ADComputer cmdlet to collect computer information and output it to a file

Sigma rule (View on GitHub)

 1title: Computer Discovery And Export Via Get-ADComputer Cmdlet - PowerShell
 2id: db885529-903f-4c5d-9864-28fe199e6370
 3related:
 4    - id: 435e10e4-992a-4281-96f3-38b11106adde
 5      type: similar
 6status: test
 7description: Detects usage of the Get-ADComputer cmdlet to collect computer information and output it to a file
 8references:
 9    - http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html
10    - https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/
11    - https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf
12author: Nasreddine Bencherchali (Nextron Systems)
13date: 2022/11/17
14tags:
15    - attack.discovery
16    - attack.t1033
17logsource:
18    product: windows
19    category: ps_script
20    definition: 'Requirements: Script Block Logging must be enabled'
21detection:
22    selection:
23        ScriptBlockText|contains|all:
24            - 'Get-ADComputer '
25            - ' -Filter \*'
26        ScriptBlockText|contains:
27            - ' | Select '
28            - 'Out-File'
29            - 'Set-Content'
30            - 'Add-Content'
31    condition: selection
32falsepositives:
33    - Legitimate admin scripts may use the same technique, it's better to exclude specific computers or users who execute these commands or scripts often
34level: medium

References

Related rules

to-top