Potential Active Directory Enumeration Using AD Module - PsModule
Detects usage of the "Import-Module" cmdlet to load the "Microsoft.ActiveDirectory.Management.dl" DLL. Which is often used by attackers to perform AD enumeration.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Definition
0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
detection:
selection_cmdlet:
Payload|contains:
- 'Import-Module '
- 'ipmo '
selection_dll:
Payload|contains: 'Microsoft.ActiveDirectory.Management.dll'
condition: all of selection_*Legitimate use of the library for administrative activity
Potential Active Directory Enumeration Using AD Module - ProcCreation
Detects usage of the "Import-Module" cmdlet to load the "Microsoft.ActiveDirectory.Management.dl" DLL. Which is often used by attackers to perform AD enumeration.
Detects similar activity. Both rules may fire on overlapping events.
Potential Active Directory Enumeration Using AD Module - PsScript
Detects usage of the "Import-Module" cmdlet to load the "Microsoft.ActiveDirectory.Management.dl" DLL. Which is often used by attackers to perform AD enumeration.
Detects similar activity. Both rules may fire on overlapping events.