AADInternals PowerShell Cmdlets Execution - ProccessCreation

calendar Feb 17, 2025 · attack.execution attack.reconnaissance attack.discovery attack.credential-access attack.impact  ·
Share on: linkedin copy

Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365.

Sigma rule (View on GitHub)

 1title: AADInternals PowerShell Cmdlets Execution - ProccessCreation
 2id: c86500e9-a645-4680-98d7-f882c70c1ea3
 3related:
 4    - id: 91e69562-2426-42ce-a647-711b8152ced6
 5      type: similar
 6status: test
 7description: Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365.
 8references:
 9    - https://o365blog.com/aadinternals/
10    - https://github.com/Gerenios/AADInternals
11author: Austin Songer (@austinsonger), Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems)
12date: 2022-12-23
13modified: 2025-02-06
14tags:
15    - attack.execution
16    - attack.reconnaissance
17    - attack.discovery
18    - attack.credential-access
19    - attack.impact
20logsource:
21    product: windows
22    category: process_creation
23detection:
24    selection_img:
25        - Image|endswith:
26              - '\powershell.exe'
27              - '\powershell_ise.exe'
28              - '\pwsh.exe'
29        - OriginalFileName:
30              - 'PowerShell.Exe'
31              - 'pwsh.dll'
32    selection_cli:
33        CommandLine|contains:
34            # Since most of the cmdlets use a unique enough string which is "-AADInt" we only used that portion. For a complete list please check the references linked above
35            - 'Add-AADInt'
36            - 'ConvertTo-AADInt'
37            - 'Disable-AADInt'
38            - 'Enable-AADInt'
39            - 'Export-AADInt'
40            - 'Find-AADInt'
41            - 'Get-AADInt'
42            - 'Grant-AADInt'
43            - 'Initialize-AADInt'
44            - 'Install-AADInt'
45            - 'Invoke-AADInt'
46            - 'Join-AADInt'
47            - 'New-AADInt'
48            - 'Open-AADInt'
49            - 'Read-AADInt'
50            - 'Register-AADInt'
51            - 'Remove-AADInt'
52            - 'Reset-AADInt'
53            - 'Resolve-AADInt'
54            - 'Restore-AADInt'
55            - 'Save-AADInt'
56            - 'Search-AADInt'
57            - 'Send-AADInt'
58            - 'Set-AADInt'
59            - 'Start-AADInt'
60            - 'Unprotect-AADInt'
61            - 'Update-AADInt'
62    condition: all of selection_*
63falsepositives:
64    - Legitimate use of the library for administrative activity
65level: high
...
yaml

References

Related rules

to-top