Potential Active Directory Enumeration Using AD Module - PsScript
Detects usage of the "Import-Module" cmdlet to load the "Microsoft.ActiveDirectory.Management.dl" DLL. Which is often used by attackers to perform AD enumeration.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Definition
Requirements: Script Block Logging must be enable
detection:
selection_generic:
ScriptBlockText|contains|all:
- 'Import-Module '
- 'Microsoft.ActiveDirectory.Management.dll'
selection_specific:
ScriptBlockText|contains: 'ipmo Microsoft.ActiveDirectory.Management.dll'
condition: 1 of selection_*Legitimate use of the library for administrative activity
Potential Active Directory Enumeration Using AD Module - ProcCreation
Detects usage of the "Import-Module" cmdlet to load the "Microsoft.ActiveDirectory.Management.dl" DLL. Which is often used by attackers to perform AD enumeration.
Detects similar activity. Both rules may fire on overlapping events.
Potential Active Directory Enumeration Using AD Module - PsModule
Detects usage of the "Import-Module" cmdlet to load the "Microsoft.ActiveDirectory.Management.dl" DLL. Which is often used by attackers to perform AD enumeration.
Detects similar activity. Both rules may fire on overlapping events.