User Discovery And Export Via Get-ADUser Cmdlet - PowerShell

Rule Info

Name
User Discovery And Export Via Get-ADUser Cmdlet - PowerShell
Author
Nasreddine Bencherchali (Nextron Systems)
Description
Detects usage of the Get-ADUser cmdlet to collect user information and output it to a file
Reference
http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html
Date
2022-11-17 00:00:00
Modified
None
Id
c2993223-6da8-4b1a-88ee-668b8bf315e9
Tags
attack.discovery attack.t1033 DEMO
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=c2993223-6da8-4b1a-88ee-668b8bf315e9

Rule History

Author
Title
Date
Commit
frack113
Merge PR #4479 From @frack113 - Upgrade Rules Status
2023-10-17
020fc8061
Nasreddine Bencherchali
chore: add nextron authors tag
2023-02-01
7c38a5c49
Nasreddine Bencherchali
feat: updates and enhancements
2023-01-04
711ba956e
Nasreddine Bencherchali
Rule Dev
2022-11-18
20b0a6bad
Nasreddine Bencherchali
fix: update selection
2022-11-17
e4a580f9b
Nasreddine Bencherchali
feat: add another case to the selection
2022-11-17
278808f16
Nasreddine Bencherchali
fix: apply suggestions from code review
2022-11-11
04b7b92b6
Nasreddine Bencherchali
fix: update rules with more cases
2022-11-10
cd871bbc0
frack113
order yaml
2022-10-28
1f8e37351
Florian Roth
Update proc_creation_win_user_discovery_get_aduser.yml
2022-09-10
a053be791
nasreddine.bencherchali@nextron-systems.com
Update proc_creation_win_user_discovery_get_aduser.yml
2022-09-09
c8fc1cf21
nasreddine.bencherchali@nextron-systems.com
Big Update
2022-09-09
70f9ff61c
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022