posh_ps_user_discovery_get_aduser.yml

title: User Discovery And Export Via Get-ADUser Cmdlet - PowerShell
id: c2993223-6da8-4b1a-88ee-668b8bf315e9
related:
    - id: 1114e048-b69c-4f41-bc20-657245ae6e3f
      type: similar
status: test
description: Detects usage of the Get-ADUser cmdlet to collect user information and output it to a file
references:
    - http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html
    - https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022/11/17
tags:
    - attack.discovery
    - attack.t1033
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        ScriptBlockText|contains|all:
            - 'Get-ADUser '
            - ' -Filter \*'
        ScriptBlockText|contains:
            - ' > '
            - ' | Select '
            - 'Out-File'
            - 'Set-Content'
            - 'Add-Content'
    condition: selection
falsepositives:
    - Legitimate admin scripts may use the same technique, it's better to exclude specific computers or users who execute these commands or scripts often
level: medium