diff --git a/content/exchange/artifacts/Windows.LastDomainUsers.yaml b/content/exchange/artifacts/Windows.LastDomainUsers.yaml
new file mode 100644
index 00000000000..b4a3e0c1dc3
--- /dev/null
+++ b/content/exchange/artifacts/Windows.LastDomainUsers.yaml
@@ -0,0 +1,17 @@
+name: Windows.LastDomainUsers
+description: Enumerate Domain Users by creation date. This artifact can be used to quickly detect new domain accounts that may have been created by attackers. This artifact must be run on Domain Joined systems with the PowerShell Active Directory module installed.
+
+author: AnthoLaMalice - Anthony Hannouille
+
+precondition:
+    SELECT OS From info() where OS = 'windows'
+
+sources:
+    - query: |         
+        LET cmdline = 'Get-ADUser -Filter {Enabled -eq $True} -Property Created, LastLogon | Select-Object Name, SAMAccountName, @{Name="Created";Expression={$_.Created.ToString("yyyy-MM-dd HH:mm:ss")}}, @{Name="LastLogon";Expression={if ($_.LastLogon) { [datetime]::FromFileTime($_.LastLogon).ToString("yyyy-MM-dd HH:mm:ss") } else { "Never Logged In" }}} | Sort-Object Created | ConvertTo-Json'
+        SELECT * FROM foreach(
+            row={
+                SELECT Stdout FROM execve(argv=["Powershell", cmdline], length=104857600)
+                }, query={
+                    SELECT * FROM parse_json_array(data=Stdout) where log(message=Stdout) AND log(message=Stderr)
+                })