Detectionmediumtest
Computer Discovery And Export Via Get-ADComputer Cmdlet - PowerShell
Detects usage of the Get-ADComputer cmdlet to collect computer information and output it to a file
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Nasreddine Bencherchali (Nextron Systems)Created Thu Nov 17db885529-903f-4c5d-9864-28fe199e6370windows
Log Source
WindowsPowerShell Script
ProductWindows← raw: windows
CategoryPowerShell Script← raw: ps_script
Definition
Requirements: Script Block Logging must be enabled
Detection Logic
Detection Logic1 selector
detection:
selection:
ScriptBlockText|contains|all:
- 'Get-ADComputer '
- ' -Filter \*'
ScriptBlockText|contains:
- ' | Select '
- 'Out-File'
- 'Set-Content'
- 'Add-Content'
condition: selectionFalse Positives
Legitimate admin scripts may use the same technique, it's better to exclude specific computers or users who execute these commands or scripts often
MITRE ATT&CK
Tactics
Techniques
Rule Metadata
Rule ID
db885529-903f-4c5d-9864-28fe199e6370
Status
test
Level
medium
Type
Detection
Created
Thu Nov 17
Path
rules/windows/powershell/powershell_script/posh_ps_computer_discovery_get_adcomputer.yml
Raw Tags
attack.discoveryattack.t1033