legitimate administrators often install these modules for managing azure environments. filter alerts for authorized personnel and approved administrative activities.

Techniques

Sample rules

Windows Azure PowerShell Module Installation Via PowerShell Script

source: splunk
technicques:
- T1078
- T1021.007
- T1136.003
- T1098
- T1069.003

Description

This analytic detects the installation of Azure AD and cloud management modules via PowerShell Script Block Logging. Tools such as AADInternals, AzureAD, MSOnline, and Az.Resources provide deep access to Azure Active Directory objects, user accounts, service principals, and tenant configurations making them high-value targets for adversaries conducting reconnaissance, privilege escalation, or persistence operations post-compromise.

Detection logic

`powershell`
EventID="4104"
ScriptBlockText IN (
    "*Install-Module -Name AADInternals*",
    "*Install-Module -Name Az.Resources*",
    "*Install-Module -Name AzureAd*",
    "*Install-Module -Name MSOnline*",
    "*Install-Module AADInternals*",
    "*Install-Module Az.Resources*",
    "*Install-Module AzureAd*",
    "*Install-Module MSOnline*"
)

| fillnull

| stats count min(_time) as firstTime
        max(_time) as lastTime
  by Computer EventID ScriptBlockText signature signature_id
     user_id vendor_product Guid Opcode
     Name Path ProcessID ScriptBlockId


| rename Computer as dest

| `security_content_ctime(firstTime)`

| `security_content_ctime(lastTime)`

| `windows_azure_powershell_module_installation_via_powershell_script_filter`