Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionmediumtest

User Discovery And Export Via Get-ADUser Cmdlet - PowerShell

Detects usage of the Get-ADUser cmdlet to collect user information and output it to a file

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Nasreddine Bencherchali (Nextron Systems)Created Thu Nov 17c2993223-6da8-4b1a-88ee-668b8bf315e9windows
Log Source
WindowsPowerShell Script
ProductWindows← raw: windows
CategoryPowerShell Script← raw: ps_script

Definition

Requirements: Script Block Logging must be enabled

Detection Logic
Detection Logic1 selector
detection:
    selection:
        ScriptBlockText|contains|all:
            - 'Get-ADUser '
            - ' -Filter \*'
        ScriptBlockText|contains:
            - ' > '
            - ' | Select '
            - 'Out-File'
            - 'Set-Content'
            - 'Add-Content'
    condition: selection
False Positives

Legitimate admin scripts may use the same technique, it's better to exclude specific computers or users who execute these commands or scripts often

References
1
Resolving title…
blog.talosintelligence.com
2
Resolving title…
microsoft.com
MITRE ATT&CK
Related Rules
SimilarDetectionmedium

User Discovery And Export Via Get-ADUser Cmdlet

Detects usage of the Get-ADUser cmdlet to collect user information and output it to a file

Detects similar activity. Both rules may fire on overlapping events.

Rule Metadata
Rule ID
c2993223-6da8-4b1a-88ee-668b8bf315e9
Status
test
Level
medium
Type
Detection
Created
Thu Nov 17
Author
Nasreddine Bencherchali (Nextron Systems)
Path
rules/windows/powershell/powershell_script/posh_ps_user_discovery_get_aduser.yml
Raw Tags
attack.discoveryattack.t1033
View on GitHub