User Discovery And Export Via Get-ADUser Cmdlet - PowerShell

 1title: User Discovery And Export Via Get-ADUser Cmdlet - PowerShell
 2id: c2993223-6da8-4b1a-88ee-668b8bf315e9
 3related:
 4    - id: 1114e048-b69c-4f41-bc20-657245ae6e3f
 5      type: similar
 6status: test
 7description: Detects usage of the Get-ADUser cmdlet to collect user information and output it to a file
 8references:
 9    - http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html
10    - https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/
11author: Nasreddine Bencherchali (Nextron Systems)
12date: 2022/11/17
13tags:
14    - attack.discovery
15    - attack.t1033
16logsource:
17    product: windows
18    category: ps_script
19    definition: 'Requirements: Script Block Logging must be enabled'
20detection:
21    selection:
22        ScriptBlockText|contains|all:
23            - 'Get-ADUser '
24            - ' -Filter \*'
25        ScriptBlockText|contains:
26            - ' > '
27            - ' | Select '
28            - 'Out-File'
29            - 'Set-Content'
30            - 'Add-Content'
31    condition: selection
32falsepositives:
33    - Legitimate admin scripts may use the same technique, it's better to exclude specific computers or users who execute these commands or scripts often
34level: medium

References

• Lazarus and the tale of three RATs

  

  Cisco Talos assesses with high confidence these attacks have been conducted by the North Korean state-sponsored threat actor Lazarus Group.

  
  Read More

• https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/

  
  Read More

Related rules

• Computer Discovery And Export Via Get-ADComputer Cmdlet - PowerShell
• Suspicious PowerShell Get Current User
• ESXi Network Configuration Discovery Via ESXCLI
• ESXi Storage Information Discovery Via ESXCLI
• ESXi System Information Discovery Via ESXCLI