Detectionhightest
AADInternals PowerShell Cmdlets Execution - PsScript
Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Austin Songer, Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems)Created Fri Dec 23Updated Thu Feb 0691e69562-2426-42ce-a647-711b8152ced6windows
Log Source
WindowsPowerShell Script
ProductWindows← raw: windows
CategoryPowerShell Script← raw: ps_script
Definition
Script Block Logging must be enable
Detection Logic
Detection Logic1 selector
detection:
selection:
ScriptBlockText|contains:
# Since most of the cmdlets use a unique enough string which is "-AADInt" we only used that portion. For a complete list please check the references linked above
- 'Add-AADInt'
- 'ConvertTo-AADInt'
- 'Disable-AADInt'
- 'Enable-AADInt'
- 'Export-AADInt'
- 'Find-AADInt'
- 'Get-AADInt'
- 'Grant-AADInt'
- 'Initialize-AADInt'
- 'Install-AADInt'
- 'Invoke-AADInt'
- 'Join-AADInt'
- 'New-AADInt'
- 'Open-AADInt'
- 'Read-AADInt'
- 'Register-AADInt'
- 'Remove-AADInt'
- 'Reset-AADInt'
- 'Resolve-AADInt'
- 'Restore-AADInt'
- 'Save-AADInt'
- 'Search-AADInt'
- 'Send-AADInt'
- 'Set-AADInt'
- 'Start-AADInt'
- 'Unprotect-AADInt'
- 'Update-AADInt'
condition: selectionFalse Positives
Legitimate use of the library for administrative activity
MITRE ATT&CK
Rule Metadata
Rule ID
91e69562-2426-42ce-a647-711b8152ced6
Status
test
Level
high
Type
Detection
Created
Fri Dec 23
Modified
Thu Feb 06
Author
Path
rules/windows/powershell/powershell_script/posh_ps_aadinternals_cmdlets_execution.yml
Raw Tags
attack.executionattack.reconnaissanceattack.discoveryattack.credential-accessattack.impact