Techniques
Sample rules
User Discovery And Export Via Get-ADUser Cmdlet
- source: sigma
- technicques:
- t1033
Description
Detects usage of the Get-ADUser cmdlet to collect user information and output it to a file
Detection logic
condition: all of selection_*
selection_cli:
CommandLine|contains:
- ' > '
- ' | Select '
- Out-File
- Set-Content
- Add-Content
CommandLine|contains|all:
- 'Get-ADUser '
- ' -Filter \*'
selection_img:
- Image|endswith:
- \powershell.exe
- \pwsh.exe
- OriginalFileName:
- PowerShell.EXE
- pwsh.dll
Computer Discovery And Export Via Get-ADComputer Cmdlet
- source: sigma
- technicques:
- t1033
Description
Detects usage of the Get-ADComputer cmdlet to collect computer information and output it to a file
Detection logic
condition: all of selection_*
selection_cli:
CommandLine|contains:
- ' > '
- ' | Select '
- Out-File
- Set-Content
- Add-Content
CommandLine|contains|all:
- 'Get-ADComputer '
- ' -Filter \*'
selection_img:
- Image|endswith:
- \powershell.exe
- \pwsh.exe
- OriginalFileName:
- PowerShell.EXE
- pwsh.dll
Computer Discovery And Export Via Get-ADComputer Cmdlet - PowerShell
- source: sigma
- technicques:
- t1033
Description
Detects usage of the Get-ADComputer cmdlet to collect computer information and output it to a file
Detection logic
condition: selection
selection:
ScriptBlockText|contains:
- ' | Select '
- Out-File
- Set-Content
- Add-Content
ScriptBlockText|contains|all:
- 'Get-ADComputer '
- ' -Filter \*'
User Discovery And Export Via Get-ADUser Cmdlet - PowerShell
- source: sigma
- technicques:
- t1033
Description
Detects usage of the Get-ADUser cmdlet to collect user information and output it to a file
Detection logic
condition: selection
selection:
ScriptBlockText|contains:
- ' > '
- ' | Select '
- Out-File
- Set-Content
- Add-Content
ScriptBlockText|contains|all:
- 'Get-ADUser '
- ' -Filter \*'