AADInternals PowerShell Cmdlets Execution - PsScript

calendar Feb 17, 2025 · attack.execution attack.reconnaissance attack.discovery attack.credential-access attack.impact  ·
Share on: linkedin copy

Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365.

Sigma rule (View on GitHub)

 1title: AADInternals PowerShell Cmdlets Execution - PsScript
 2id: 91e69562-2426-42ce-a647-711b8152ced6
 3related:
 4    - id: c86500e9-a645-4680-98d7-f882c70c1ea3
 5      type: similar
 6status: test
 7description: Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365.
 8references:
 9    - https://o365blog.com/aadinternals/
10    - https://github.com/Gerenios/AADInternals
11author: Austin Songer (@austinsonger), Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems)
12date: 2022-12-23
13modified: 2025-02-06
14tags:
15    - attack.execution
16    - attack.reconnaissance
17    - attack.discovery
18    - attack.credential-access
19    - attack.impact
20logsource:
21    product: windows
22    category: ps_script
23    definition: Script Block Logging must be enable
24detection:
25    selection:
26        ScriptBlockText|contains:
27            # Since most of the cmdlets use a unique enough string which is "-AADInt" we only used that portion. For a complete list please check the references linked above
28            - 'Add-AADInt'
29            - 'ConvertTo-AADInt'
30            - 'Disable-AADInt'
31            - 'Enable-AADInt'
32            - 'Export-AADInt'
33            - 'Find-AADInt'
34            - 'Get-AADInt'
35            - 'Grant-AADInt'
36            - 'Initialize-AADInt'
37            - 'Install-AADInt'
38            - 'Invoke-AADInt'
39            - 'Join-AADInt'
40            - 'New-AADInt'
41            - 'Open-AADInt'
42            - 'Read-AADInt'
43            - 'Register-AADInt'
44            - 'Remove-AADInt'
45            - 'Reset-AADInt'
46            - 'Resolve-AADInt'
47            - 'Restore-AADInt'
48            - 'Save-AADInt'
49            - 'Search-AADInt'
50            - 'Send-AADInt'
51            - 'Set-AADInt'
52            - 'Start-AADInt'
53            - 'Unprotect-AADInt'
54            - 'Update-AADInt'
55    condition: selection
56falsepositives:
57    - Legitimate use of the library for administrative activity
58level: high
...
yaml

References

Related rules

to-top