Potential Active Directory Enumeration Using AD Module - PsModule

Detects usage of the "Import-Module" cmdlet to load the "Microsoft.ActiveDirectory.Management.dl" DLL. Which is often used by attackers to perform AD enumeration.

Sigma rule (View on GitHub)

 1title: Potential Active Directory Enumeration Using AD Module - PsModule
 2id: 74176142-4684-4d8a-8b0a-713257e7df8e
 3related:
 4    - id: 70bc5215-526f-4477-963c-a47a5c9ebd12
 5      type: similar
 6    - id: 9e620995-f2d8-4630-8430-4afd89f77604
 7      type: similar
 8status: test
 9description: Detects usage of the "Import-Module" cmdlet to load the "Microsoft.ActiveDirectory.Management.dl" DLL. Which is often used by attackers to perform AD enumeration.
10references:
11    - https://github.com/samratashok/ADModule
12    - https://twitter.com/cyb3rops/status/1617108657166061568?s=20
13    - https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-enumeration-with-ad-module-without-rsat-or-admin-privileges
14author: Nasreddine Bencherchali (Nextron Systems), frack113
15date: 2023-01-22
16tags:
17    - attack.reconnaissance
18    - attack.discovery
19    - attack.impact
20logsource:
21    product: windows
22    category: ps_module
23    definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
24detection:
25    selection_cmdlet:
26        Payload|contains:
27            - 'Import-Module '
28            - 'ipmo '
29    selection_dll:
30        Payload|contains: 'Microsoft.ActiveDirectory.Management.dll'
31    condition: all of selection_*
32falsepositives:
33    - Legitimate use of the library for administrative activity
34level: medium

References

Related rules

to-top