Computer Discovery And Export Via Get-ADComputer Cmdlet - PowerShell

title: Computer Discovery And Export Via Get-ADComputer Cmdlet - PowerShell
id: db885529-903f-4c5d-9864-28fe199e6370
related:
    - id: 435e10e4-992a-4281-96f3-38b11106adde
      type: similar
status: test
description: Detects usage of the Get-ADComputer cmdlet to collect computer information and output it to a file
references:
    - http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html
    - https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/
    - https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-11-17
tags:
    - attack.discovery
    - attack.t1033
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        ScriptBlockText|contains|all:
            - 'Get-ADComputer '
            - ' -Filter \*'
        ScriptBlockText|contains:
            - ' | Select '
            - 'Out-File'
            - 'Set-Content'
            - 'Add-Content'
    condition: selection
falsepositives:
    - Legitimate admin scripts may use the same technique, it's better to exclude specific computers or users who execute these commands or scripts often
level: medium