Windows.LastDomainUsers.yaml

name: Windows.LastDomainUsers
description: Enumerate Domain Users by creation date. This artifact can be used to quickly detect new domain accounts that may have been created by attackers. This artifact must be run on Domain Joined systems with the Active Directory PowerShell module installed.

author: AnthoLaMalice - Anthony Hannouille

precondition:
    SELECT OS From info() where OS = 'windows'

sources:
    - query: |         
        LET cmdline = 'Get-ADUser -Filter {Enabled -eq $True} -Property Created, LastLogon | Select-Object Name, SAMAccountName, @{Name="Created";Expression={$_.Created.ToString("yyyy-MM-dd HH:mm:ss")}}, @{Name="LastLogon";Expression={if ($_.LastLogon) { [datetime]::FromFileTime($_.LastLogon).ToString("yyyy-MM-dd HH:mm:ss") } else { "Never Logged In" }}} | Sort-Object Created | ConvertTo-Json'
        
        SELECT * FROM foreach(
            row={
                SELECT Stdout FROM execve(argv=["Powershell", cmdline], length=104857600)
                }, query={
                    SELECT * FROM parse_json_array(data=Stdout) where log(message=Stdout) AND log(message=Stderr)
                })