Phoenix Studio
Convert indexed Sigma rules into analyst-ready detections.
This studio is built around Phoenix's own rule corpus, not a blank editor. Search by title or rule id, choose a live sigma-cli backend, then reveal pipelines only when you actually need them.
Indexed Rules
3,707
Ready to search
Backends
17
Live from sigconverter.io
CLI Versions
10
Newest: 2.0.2
Translation Workspace
Shape the rule before it leaves Phoenix
Tune Translation
Active Rule
DSInternals Suspicious PowerShell Cmdlets - ScriptBlock
Target Profile
Splunk
Splunk SPL & tstats data model queries
Format Mode
Default
Plain SPL queries
Conversion Output
DSInternals Suspicious PowerShell Cmdlets - ScriptBlock
Using Splunk · Default · sigma-cli 2.0.2
Translation controls
Adjust the rule on the left, then regenerate when you want a fresh backend-native query.
BackendSplunkFormatDefaultVersion2.0.2
title: DSInternals Suspicious PowerShell Cmdlets - ScriptBlock
id: 846c7a87-8e14-4569-9d49-ecfd4276a01c
related:
- id: 43d91656-a9b2-4541-b7e2-6a9bd3a13f4e
type: similar
status: test
description: |
Detects execution and usage of the DSInternals PowerShell module. Which can be used to perform what might be considered as suspicious activity such as dumping DPAPI backup keys or manipulating NTDS.DIT files.
The DSInternals PowerShell Module exposes several internal features of Active Directory and Azure Active Directory. These include FIDO2 and NGC key auditing, offline ntds.dit file manipulation, password auditing, DC recovery from IFM backups and password hash calculation.
references:
- https://github.com/MichaelGrafnetter/DSInternals/blob/39ee8a69bbdc1cfd12c9afdd7513b4788c4895d4/Src/DSInternals.PowerShell/DSInternals.psd1
author: Nasreddine Bencherchali (Nextron Systems)
date: 2024-06-26
tags:
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains:
- 'Add-ADDBSidHistory'
- 'Add-ADNgcKey'
- 'Add-ADReplNgcKey'
- 'ConvertFrom-ADManagedPasswordBlob'
- 'ConvertFrom-GPPrefPassword'
- 'ConvertFrom-ManagedPasswordBlob'
- 'ConvertFrom-UnattendXmlPassword'
- 'ConvertFrom-UnicodePassword'
- 'ConvertTo-AADHash'
- 'ConvertTo-GPPrefPassword'
- 'ConvertTo-KerberosKey'
- 'ConvertTo-LMHash'
- 'ConvertTo-MsoPasswordHash'
- 'ConvertTo-NTHash'
- 'ConvertTo-OrgIdHash'
- 'ConvertTo-UnicodePassword'
- 'Disable-ADDBAccount'
- 'Enable-ADDBAccount'
- 'Get-ADDBAccount'
- 'Get-ADDBBackupKey'
- 'Get-ADDBDomainController'
- 'Get-ADDBGroupManagedServiceAccount'
- 'Get-ADDBKdsRootKey'
- 'Get-ADDBSchemaAttribute'
- 'Get-ADDBServiceAccount'
- 'Get-ADDefaultPasswordPolicy'
- 'Get-ADKeyCredential' # Covers 'Get-ADKeyCredentialLink'
- 'Get-ADPasswordPolicy'
- 'Get-ADReplAccount'
- 'Get-ADReplBackupKey'
- 'Get-ADReplicationAccount'
- 'Get-ADSIAccount'
- 'Get-AzureADUserEx'
- 'Get-BootKey'
- 'Get-KeyCredential'
- 'Get-LsaBackupKey'
- 'Get-LsaPolicy' # Covers 'Get-LsaPolicyInformation'
- 'Get-SamPasswordPolicy'
- 'Get-SysKey'
- 'Get-SystemKey'
- 'New-ADDBRestoreFromMediaScript'
- 'New-ADKeyCredential' # Covers 'New-ADKeyCredentialLink'
- 'New-ADNgcKey'
- 'New-NTHashSet'
- 'Remove-ADDBObject'
- 'Save-DPAPIBlob'
- 'Set-ADAccountPasswordHash'
- 'Set-ADDBAccountPassword' # Covers 'Set-ADDBAccountPasswordHash'
- 'Set-ADDBBootKey'
- 'Set-ADDBDomainController'
- 'Set-ADDBPrimaryGroup'
- 'Set-ADDBSysKey'
- 'Set-AzureADUserEx'
- 'Set-LsaPolicy' # Covers 'Set-LSAPolicyInformation'
- 'Set-SamAccountPasswordHash'
- 'Set-WinUserPasswordHash'
- 'Test-ADDBPasswordQuality'
- 'Test-ADPasswordQuality'
- 'Test-ADReplPasswordQuality'
- 'Test-PasswordQuality'
- 'Unlock-ADDBAccount'
- 'Write-ADNgcKey'
- 'Write-ADReplNgcKey'
condition: selection
falsepositives:
- Legitimate usage of DSInternals for administration or audit purpose.
level: high
CLI command
Copy the exact command to reproduce this translation locally.
sigma convert --without-pipeline -t splunk -f default rules/windows/powershell/powershell_script/posh_ps_dsinternals_cmdlets.yml