Computer Discovery And Export Via Get-ADComputer Cmdlet

calendar Aug 12, 2024 · attack.discovery attack.t1033  ·
Share on: linkedin copy

Detects usage of the Get-ADComputer cmdlet to collect computer information and output it to a file

Sigma rule (View on GitHub)

 1title: Computer Discovery And Export Via Get-ADComputer Cmdlet
 2id: 435e10e4-992a-4281-96f3-38b11106adde
 3related:
 4    - id: db885529-903f-4c5d-9864-28fe199e6370
 5      type: similar
 6status: test
 7description: Detects usage of the Get-ADComputer cmdlet to collect computer information and output it to a file
 8references:
 9    - http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html
10    - https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/
11    - https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf
12author: Nasreddine Bencherchali (Nextron Systems)
13date: 2022-11-10
14modified: 2022-11-17
15tags:
16    - attack.discovery
17    - attack.t1033
18logsource:
19    category: process_creation
20    product: windows
21detection:
22    selection_img:
23        - Image|endswith:
24              - '\powershell.exe'
25              - '\pwsh.exe'
26        - OriginalFileName:
27              - 'PowerShell.EXE'
28              - 'pwsh.dll'
29    selection_cli:
30        CommandLine|contains|all:
31            - 'Get-ADComputer '
32            - ' -Filter \*'
33        CommandLine|contains:
34            - ' > '
35            - ' | Select '
36            - 'Out-File'
37            - 'Set-Content'
38            - 'Add-Content'
39    condition: all of selection_*
40falsepositives:
41    - Legitimate admin scripts may use the same technique, it's better to exclude specific computers or users who execute these commands or scripts often
42level: medium

References

  • Lazarus and the tale of three RATs

    Cisco Talos assesses with high confidence these attacks have been conducted by the North Korean state-sponsored threat actor Lazarus Group.


    Read More

  • Defenders beware: A case for post-ransomware investigations | Microsoft Security Blog

    The Microsoft Detection and Response Team (DART) details a recent ransomware incident in which the attacker used a collection of commodity tools and techniques, such as using living-off-the-land binaries, to launch their malicious code.


    Read More

  • %PDF-1.6 %âãÏÓ 945 0 obj endobj 977 0 obj /Filter/FlateDecode/ID[ ]/Index[945 59]/Info 944 0 R/Length 145/Prev 548662/Root 946 0 R/Size 1004/Type/XRef/W[1 3 1]>>stream hÞbbd```b``ù "¦ƒH¦³ ’­D27€...


    Read More

Related rules

to-top