DSInternals Suspicious PowerShell Cmdlets - ScriptBlock

 1title: DSInternals Suspicious PowerShell Cmdlets - ScriptBlock
 2id: 846c7a87-8e14-4569-9d49-ecfd4276a01c
 3related:
 4    - id: 43d91656-a9b2-4541-b7e2-6a9bd3a13f4e
 5      type: similar
 6status: experimental
 7description: |
 8    Detects execution and usage of the DSInternals PowerShell module. Which can be used to perform what might be considered as suspicious activity such as dumping DPAPI backup keys or manipulating NTDS.DIT files.
 9    The DSInternals PowerShell Module exposes several internal features of Active Directory and Azure Active Directory. These include FIDO2 and NGC key auditing, offline ntds.dit file manipulation, password auditing, DC recovery from IFM backups and password hash calculation.    
10references:
11    - https://github.com/MichaelGrafnetter/DSInternals/blob/39ee8a69bbdc1cfd12c9afdd7513b4788c4895d4/Src/DSInternals.PowerShell/DSInternals.psd1
12author: Nasreddine Bencherchali (Nextron Systems)
13date: 2024-06-26
14tags:
15    - attack.execution
16    - attack.t1059.001
17logsource:
18    product: windows
19    category: ps_script
20    definition: 'Requirements: Script Block Logging must be enabled'
21detection:
22    selection:
23        ScriptBlockText|contains:
24            - 'Add-ADDBSidHistory'
25            - 'Add-ADNgcKey'
26            - 'Add-ADReplNgcKey'
27            - 'ConvertFrom-ADManagedPasswordBlob'
28            - 'ConvertFrom-GPPrefPassword'
29            - 'ConvertFrom-ManagedPasswordBlob'
30            - 'ConvertFrom-UnattendXmlPassword'
31            - 'ConvertFrom-UnicodePassword'
32            - 'ConvertTo-AADHash'
33            - 'ConvertTo-GPPrefPassword'
34            - 'ConvertTo-KerberosKey'
35            - 'ConvertTo-LMHash'
36            - 'ConvertTo-MsoPasswordHash'
37            - 'ConvertTo-NTHash'
38            - 'ConvertTo-OrgIdHash'
39            - 'ConvertTo-UnicodePassword'
40            - 'Disable-ADDBAccount'
41            - 'Enable-ADDBAccount'
42            - 'Get-ADDBAccount'
43            - 'Get-ADDBBackupKey'
44            - 'Get-ADDBDomainController'
45            - 'Get-ADDBGroupManagedServiceAccount'
46            - 'Get-ADDBKdsRootKey'
47            - 'Get-ADDBSchemaAttribute'
48            - 'Get-ADDBServiceAccount'
49            - 'Get-ADDefaultPasswordPolicy'
50            - 'Get-ADKeyCredential' # Covers 'Get-ADKeyCredentialLink'
51            - 'Get-ADPasswordPolicy'
52            - 'Get-ADReplAccount'
53            - 'Get-ADReplBackupKey'
54            - 'Get-ADReplicationAccount'
55            - 'Get-ADSIAccount'
56            - 'Get-AzureADUserEx'
57            - 'Get-BootKey'
58            - 'Get-KeyCredential'
59            - 'Get-LsaBackupKey'
60            - 'Get-LsaPolicy' # Covers 'Get-LsaPolicyInformation'
61            - 'Get-SamPasswordPolicy'
62            - 'Get-SysKey'
63            - 'Get-SystemKey'
64            - 'New-ADDBRestoreFromMediaScript'
65            - 'New-ADKeyCredential' # Covers 'New-ADKeyCredentialLink'
66            - 'New-ADNgcKey'
67            - 'New-NTHashSet'
68            - 'Remove-ADDBObject'
69            - 'Save-DPAPIBlob'
70            - 'Set-ADAccountPasswordHash'
71            - 'Set-ADDBAccountPassword' # Covers 'Set-ADDBAccountPasswordHash'
72            - 'Set-ADDBBootKey'
73            - 'Set-ADDBDomainController'
74            - 'Set-ADDBPrimaryGroup'
75            - 'Set-ADDBSysKey'
76            - 'Set-AzureADUserEx'
77            - 'Set-LsaPolicy' # Covers 'Set-LSAPolicyInformation'
78            - 'Set-SamAccountPasswordHash'
79            - 'Set-WinUserPasswordHash'
80            - 'Test-ADDBPasswordQuality'
81            - 'Test-ADPasswordQuality'
82            - 'Test-ADReplPasswordQuality'
83            - 'Test-PasswordQuality'
84            - 'Unlock-ADDBAccount'
85            - 'Write-ADNgcKey'
86            - 'Write-ADReplNgcKey'
87    condition: selection
88falsepositives:
89    - Legitimate usage of DSInternals for administration or audit purpose.
90level: high