User Discovery And Export Via Get-ADUser Cmdlet
Detects usage of the Get-ADUser cmdlet to collect user information and output it to a file
Sigma rule (View on GitHub)
1title: User Discovery And Export Via Get-ADUser Cmdlet
2id: 1114e048-b69c-4f41-bc20-657245ae6e3f
3related:
4 - id: c2993223-6da8-4b1a-88ee-668b8bf315e9
5 type: similar
6status: test
7description: Detects usage of the Get-ADUser cmdlet to collect user information and output it to a file
8references:
9 - http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html
10 - https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/
11author: Nasreddine Bencherchali (Nextron Systems)
12date: 2022/09/09
13modified: 2022/11/17
14tags:
15 - attack.discovery
16 - attack.t1033
17logsource:
18 category: process_creation
19 product: windows
20detection:
21 selection_img:
22 - Image|endswith:
23 - '\powershell.exe'
24 - '\pwsh.exe'
25 - OriginalFileName:
26 - 'PowerShell.EXE'
27 - 'pwsh.dll'
28 selection_cli:
29 CommandLine|contains|all:
30 - 'Get-ADUser '
31 - ' -Filter \*'
32 CommandLine|contains:
33 - ' > '
34 - ' | Select '
35 - 'Out-File'
36 - 'Set-Content'
37 - 'Add-Content'
38 condition: all of selection_*
39falsepositives:
40 - Legitimate admin scripts may use the same technique, it's better to exclude specific computers or users who execute these commands or scripts often
41level: medium
References
-
Cisco Talos assesses with high confidence these attacks have been conducted by the North Korean state-sponsored threat actor Lazarus Group.
Read More
Related rules
- Computer Discovery And Export Via Get-ADComputer Cmdlet
- Get-ADUser Enumeration Using UserAccountControl Flags
- Computer Discovery And Export Via Get-ADComputer Cmdlet - PowerShell
- Suspicious PowerShell Get Current User
- User Discovery And Export Via Get-ADUser Cmdlet - PowerShell