
Summary
This detection rule identifies the invocation of the "Get-AdComputer" PowerShell cmdlet, commonly used for enumerating computer accounts or their properties in Active Directory environments. It specifically looks for script block logs where the cmdlet is mentioned and checks for additional parameters that indicate the nature of the request, such as filters or properties. Since the use of such commands can be benign in administrative tasks but may also indicate reconnaissance during a potential attack, this rule's primary purpose is to expose unnecessary enumeration of systems which could preempt malicious activities. Organizations should ensure that script block logging is enabled to capture these potentially suspicious activities, facilitating detection when malicious actors attempt to gather information about the environment. The rule contributes to a broader security strategy aimed at monitoring and mitigating risks associated with unauthorized or excessive data gathering within Active Directory structures.
Categories
- Windows
- Identity Management
- Infrastructure
Data Sources
- Script
- Active Directory
ATT&CK Techniques
- T1018
- T1087.002
Created: 2022-03-17