User Discovery And Export Via Get-ADUser Cmdlet

calendar Aug 12, 2024 · attack.discovery attack.t1033  ·
Share on: linkedin copy

Detects usage of the Get-ADUser cmdlet to collect user information and output it to a file

Sigma rule (View on GitHub)

 1title: User Discovery And Export Via Get-ADUser Cmdlet
 2id: 1114e048-b69c-4f41-bc20-657245ae6e3f
 3related:
 4    - id: c2993223-6da8-4b1a-88ee-668b8bf315e9
 5      type: similar
 6status: test
 7description: Detects usage of the Get-ADUser cmdlet to collect user information and output it to a file
 8references:
 9    - http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html
10    - https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/
11author: Nasreddine Bencherchali (Nextron Systems)
12date: 2022-09-09
13modified: 2022-11-17
14tags:
15    - attack.discovery
16    - attack.t1033
17logsource:
18    category: process_creation
19    product: windows
20detection:
21    selection_img:
22        - Image|endswith:
23              - '\powershell.exe'
24              - '\pwsh.exe'
25        - OriginalFileName:
26              - 'PowerShell.EXE'
27              - 'pwsh.dll'
28    selection_cli:
29        CommandLine|contains|all:
30            - 'Get-ADUser '
31            - ' -Filter \*'
32        CommandLine|contains:
33            - ' > '
34            - ' | Select '
35            - 'Out-File'
36            - 'Set-Content'
37            - 'Add-Content'
38    condition: all of selection_*
39falsepositives:
40    - Legitimate admin scripts may use the same technique, it's better to exclude specific computers or users who execute these commands or scripts often
41level: medium

References

Related rules

to-top