Active Directory Computers Enumeration With Get-AdComputer
Detects usage of the "Get-AdComputer" to enumerate Computers or properties within Active Directory.
Sigma rule (View on GitHub)
1title: Active Directory Computers Enumeration With Get-AdComputer
2id: 36bed6b2-e9a0-4fff-beeb-413a92b86138
3status: test
4description: Detects usage of the "Get-AdComputer" to enumerate Computers or properties within Active Directory.
5references:
6 - https://learn.microsoft.com/en-us/powershell/module/activedirectory/get-adcomputer
7 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md
8 - https://github.com/redcanaryco/atomic-red-team/blob/02cb591f75064ffe1e0df9ac3ed5972a2e491c97/atomics/T1087.002/T1087.002.md
9author: frack113
10date: 2022-03-17
11modified: 2023-07-08
12tags:
13 - attack.discovery
14 - attack.t1018
15 - attack.t1087.002
16logsource:
17 product: windows
18 category: ps_script
19 definition: 'Requirements: Script Block Logging must be enabled'
20detection:
21 selection_cmdlet:
22 ScriptBlockText|contains: 'Get-AdComputer '
23 selection_option:
24 ScriptBlockText|contains:
25 - '-Filter '
26 - '-LDAPFilter '
27 - '-Properties '
28 condition: all of selection_*
29falsepositives:
30 - Unknown
31level: low
References
Related rules
- PUA - AdFind Suspicious Execution
- AdFind Discovery
- AD Privileged Users or Groups Reconnaissance
- Active Directory Structure Export Via Csvde.EXE
- BloodHound Collection Files