Techniques
Sample rules
AADInternals PowerShell Cmdlets Execution - ProccessCreation
- source: sigma
- technicques:
Description
Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365.
Detection logic
condition: all of selection_*
selection_cli:
CommandLine|contains:
- Add-AADInt
- ConvertTo-AADInt
- Disable-AADInt
- Enable-AADInt
- Export-AADInt
- Get-AADInt
- Grant-AADInt
- Install-AADInt
- Invoke-AADInt
- Join-AADInt
- New-AADInt
- Open-AADInt
- Read-AADInt
- Register-AADInt
- Remove-AADInt
- Restore-AADInt
- Search-AADInt
- Send-AADInt
- Set-AADInt
- Start-AADInt
- Update-AADInt
selection_img:
- Image|endswith:
- \powershell.exe
- \pwsh.exe
- OriginalFileName:
- PowerShell.Exe
- pwsh.dll
Potential Active Directory Enumeration Using AD Module - ProcCreation
- source: sigma
- technicques:
Description
Detects usage of the “Import-Module” cmdlet to load the “Microsoft.ActiveDirectory.Management.dl” DLL. Which is often used by attackers to perform AD enumeration.
Detection logic
condition: all of selection_*
selection_cmdlet:
CommandLine|contains:
- 'Import-Module '
- 'ipmo '
selection_dll:
CommandLine|contains: Microsoft.ActiveDirectory.Management.dll
selection_img:
- Image|endswith:
- \powershell.exe
- \pwsh.exe
- OriginalFileName:
- PowerShell.EXE
- pwsh.dll
Potential Active Directory Enumeration Using AD Module - PsModule
- source: sigma
- technicques:
Description
Detects usage of the “Import-Module” cmdlet to load the “Microsoft.ActiveDirectory.Management.dl” DLL. Which is often used by attackers to perform AD enumeration.
Detection logic
condition: all of selection_*
selection_cmdlet:
Payload|contains:
- 'Import-Module '
- 'ipmo '
selection_dll:
Payload|contains: Microsoft.ActiveDirectory.Management.dll
AADInternals PowerShell Cmdlets Execution - PsScript
- source: sigma
- technicques:
Description
Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365.
Detection logic
condition: selection
selection:
ScriptBlockText|contains:
- Add-AADInt
- ConvertTo-AADInt
- Disable-AADInt
- Enable-AADInt
- Export-AADInt
- Get-AADInt
- Grant-AADInt
- Install-AADInt
- Invoke-AADInt
- Join-AADInt
- New-AADInt
- Open-AADInt
- Read-AADInt
- Register-AADInt
- Remove-AADInt
- Restore-AADInt
- Search-AADInt
- Send-AADInt
- Set-AADInt
- Start-AADInt
- Update-AADInt
Potential Active Directory Enumeration Using AD Module - PsScript
- source: sigma
- technicques:
Description
Detects usage of the “Import-Module” cmdlet to load the “Microsoft.ActiveDirectory.Management.dl” DLL. Which is often used by attackers to perform AD enumeration.
Detection logic
condition: 1 of selection_*
selection_generic:
ScriptBlockText|contains|all:
- 'Import-Module '
- Microsoft.ActiveDirectory.Management.dll
selection_specific:
ScriptBlockText|contains: ipmo Microsoft.ActiveDirectory.Management.dll