Enumerate Domain Users by creation date. This artifact can be used to quickly detect new domain accounts that may have been created by attackers. This artifact must be run on Domain Joined systems with the PowerShell Active Directory module installed.
name: Windows.LastDomainUsers
description: Enumerate Domain Users by creation date. This artifact can be used to quickly detect new domain accounts that may have been created by attackers. This artifact must be run on Domain Joined systems with the PowerShell Active Directory module installed.
author: AnthoLaMalice - Anthony Hannouille
precondition:
SELECT OS From info() where OS = 'windows'
sources:
- query: |
LET cmdline = 'Get-ADUser -Filter {Enabled -eq $True} -Property Created, LastLogon | Select-Object Name, SAMAccountName, @{Name="Created";Expression={$_.Created.ToString("yyyy-MM-dd HH:mm:ss")}}, @{Name="LastLogon";Expression={if ($_.LastLogon) { [datetime]::FromFileTime($_.LastLogon).ToString("yyyy-MM-dd HH:mm:ss") } else { "Never Logged In" }}} | Sort-Object Created | ConvertTo-Json'
SELECT * FROM foreach(
row={
SELECT Stdout FROM execve(argv=["Powershell", cmdline], length=104857600)
}, query={
SELECT * FROM parse_json_array(data=Stdout) where log(message=Stdout) AND log(message=Stderr)
})