Computer Discovery And Export Via Get-ADComputer Cmdlet
Detects usage of the Get-ADComputer cmdlet to collect computer information and output it to a file
Sigma rule (View on GitHub)
1title: Computer Discovery And Export Via Get-ADComputer Cmdlet
2id: 435e10e4-992a-4281-96f3-38b11106adde
3related:
4 - id: db885529-903f-4c5d-9864-28fe199e6370
5 type: similar
6status: test
7description: Detects usage of the Get-ADComputer cmdlet to collect computer information and output it to a file
8references:
9 - http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html
10 - https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/
11 - https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf
12author: Nasreddine Bencherchali (Nextron Systems)
13date: 2022-11-10
14modified: 2022-11-17
15tags:
16 - attack.discovery
17 - attack.t1033
18logsource:
19 category: process_creation
20 product: windows
21detection:
22 selection_img:
23 - Image|endswith:
24 - '\powershell.exe'
25 - '\pwsh.exe'
26 - OriginalFileName:
27 - 'PowerShell.EXE'
28 - 'pwsh.dll'
29 selection_cli:
30 CommandLine|contains|all:
31 - 'Get-ADComputer '
32 - ' -Filter \*'
33 CommandLine|contains:
34 - ' > '
35 - ' | Select '
36 - 'Out-File'
37 - 'Set-Content'
38 - 'Add-Content'
39 condition: all of selection_*
40falsepositives:
41 - Legitimate admin scripts may use the same technique, it's better to exclude specific computers or users who execute these commands or scripts often
42level: medium
References
Related rules
- Cisco Discovery
- Computer Discovery And Export Via Get-ADComputer Cmdlet - PowerShell
- ESXi Network Configuration Discovery Via ESXCLI
- ESXi Storage Information Discovery Via ESXCLI
- ESXi System Information Discovery Via ESXCLI