AADInternals PowerShell Cmdlets Execution - PsScript

Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365.

Sigma rule (View on GitHub)

 1title: AADInternals PowerShell Cmdlets Execution - PsScript
 2id: 91e69562-2426-42ce-a647-711b8152ced6
 3related:
 4    - id: c86500e9-a645-4680-98d7-f882c70c1ea3
 5      type: similar
 6status: test
 7description: Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365.
 8references:
 9    - https://o365blog.com/aadinternals/
10    - https://github.com/Gerenios/AADInternals
11author: Austin Songer (@austinsonger), Nasreddine Bencherchali (Nextron Systems)
12date: 2022-12-23
13tags:
14    - attack.execution
15    - attack.reconnaissance
16    - attack.discovery
17    - attack.credential-access
18    - attack.impact
19logsource:
20    product: windows
21    category: ps_script
22    definition: Script Block Logging must be enable
23detection:
24    selection:
25        ScriptBlockText|contains:
26            # Since most of the cmdlets use a unique enough string which is "-AADInt" we only used that portion. For a complete list please check the references linked above
27            - 'Add-AADInt'
28            - 'ConvertTo-AADInt'
29            - 'Disable-AADInt'
30            - 'Enable-AADInt'
31            - 'Export-AADInt'
32            - 'Get-AADInt'
33            - 'Grant-AADInt'
34            - 'Install-AADInt'
35            - 'Invoke-AADInt'
36            - 'Join-AADInt'
37            - 'New-AADInt'
38            - 'Open-AADInt'
39            - 'Read-AADInt'
40            - 'Register-AADInt'
41            - 'Remove-AADInt'
42            - 'Restore-AADInt'
43            - 'Search-AADInt'
44            - 'Send-AADInt'
45            - 'Set-AADInt'
46            - 'Start-AADInt'
47            - 'Update-AADInt'
48    condition: selection
49falsepositives:
50    - Legitimate use of the library for administrative activity
51level: high

References

Related rules

to-top