Detectionhightest

AADInternals PowerShell Cmdlets Execution - ProccessCreation

Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Austin Songer, Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems)Created Fri Dec 23Updated Thu Feb 06c86500e9-a645-4680-98d7-f882c70c1ea3windows

Log Source

WindowsProcess Creation

ProductWindows← raw: windows

CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic

detection:
    selection_img:
        - Image|endswith:
              - '\powershell.exe'
              - '\powershell_ise.exe'
              - '\pwsh.exe'
        - OriginalFileName:
              - 'PowerShell.Exe'
              - 'pwsh.dll'
    selection_cli:
        CommandLine|contains:
            # Since most of the cmdlets use a unique enough string which is "-AADInt" we only used that portion. For a complete list please check the references linked above
            - 'Add-AADInt'
            - 'ConvertTo-AADInt'
            - 'Disable-AADInt'
            - 'Enable-AADInt'
            - 'Export-AADInt'
            - 'Find-AADInt'
            - 'Get-AADInt'
            - 'Grant-AADInt'
            - 'Initialize-AADInt'
            - 'Install-AADInt'
            - 'Invoke-AADInt'
            - 'Join-AADInt'
            - 'New-AADInt'
            - 'Open-AADInt'
            - 'Read-AADInt'
            - 'Register-AADInt'
            - 'Remove-AADInt'
            - 'Reset-AADInt'
            - 'Resolve-AADInt'
            - 'Restore-AADInt'
            - 'Save-AADInt'
            - 'Search-AADInt'
            - 'Send-AADInt'
            - 'Set-AADInt'
            - 'Start-AADInt'
            - 'Unprotect-AADInt'
            - 'Update-AADInt'
    condition: all of selection_*

False Positives

Legitimate use of the library for administrative activity

References

MITRE ATT&CK

Tactics

TA0002 · Execution TA0043 · Reconnaissance TA0007 · Discovery TA0006 · Credential Access TA0040 · Impact

Related Rules

SimilarDetectionhigh

AADInternals PowerShell Cmdlets Execution - PsScript

Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365.

Detects similar activity. Both rules may fire on overlapping events.

Rule Metadata

Rule ID

c86500e9-a645-4680-98d7-f882c70c1ea3

Status

test

Level

high

Type

Detection

Created

Fri Dec 23

Modified

Thu Feb 06

Author

Austin Songer, Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems)

Path

rules/windows/process_creation/proc_creation_win_powershell_aadinternals_cmdlets_execution.yml

Raw Tags

attack.executionattack.reconnaissanceattack.discoveryattack.credential-accessattack.impact

View on GitHub