
Summary
This rule is designed to detect potentially malicious use of the Get-ADComputer cmdlet within PowerShell, which is employed to collect information about computers within a domain. The cmdlet is typically used for legitimate purposes by system administrators, however, adversaries may leverage this command to explore the network in preparation for further attacks. Indicators of potential misuse include the command being run through either PowerShell or pwsh, particularly when outputting the data to a file through redirection or piping to commands such as Out-File. Legitimate uses by authorized administrators are common and can trigger false positives, therefore it may be necessary to exclude specific users or scripts commonly known to execute such commands.
Categories
- Windows
- Endpoint
- Identity Management
Data Sources
- Process
Created: 2022-11-10