AADInternals PowerShell Cmdlets Execution - ProccessCreation

calendar Nov 2, 2023 · attack.execution attack.reconnaissance attack.discovery attack.credential_access attack.impact  ·
Share on: linkedin copy

Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365.

Sigma rule (View on GitHub)

 1title: AADInternals PowerShell Cmdlets Execution - ProccessCreation
 2id: c86500e9-a645-4680-98d7-f882c70c1ea3
 3related:
 4    - id: 91e69562-2426-42ce-a647-711b8152ced6
 5      type: similar
 6status: test
 7description: Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365.
 8references:
 9    - https://o365blog.com/aadinternals/
10    - https://github.com/Gerenios/AADInternals
11author: Austin Songer (@austinsonger), Nasreddine Bencherchali (Nextron Systems)
12date: 2022/12/23
13tags:
14    - attack.execution
15    - attack.reconnaissance
16    - attack.discovery
17    - attack.credential_access
18    - attack.impact
19logsource:
20    product: windows
21    category: process_creation
22detection:
23    selection_img:
24        - Image|endswith:
25              - '\powershell.exe'
26              - '\pwsh.exe'
27        - OriginalFileName:
28              - 'PowerShell.Exe'
29              - 'pwsh.dll'
30    selection_cli:
31        CommandLine|contains:
32            # Since most of the cmdlets use a unique enough string which is "-AADInt" we only used that portion. For a complete list please check the references linked above
33            - 'Add-AADInt'
34            - 'ConvertTo-AADInt'
35            - 'Disable-AADInt'
36            - 'Enable-AADInt'
37            - 'Export-AADInt'
38            - 'Get-AADInt'
39            - 'Grant-AADInt'
40            - 'Install-AADInt'
41            - 'Invoke-AADInt'
42            - 'Join-AADInt'
43            - 'New-AADInt'
44            - 'Open-AADInt'
45            - 'Read-AADInt'
46            - 'Register-AADInt'
47            - 'Remove-AADInt'
48            - 'Restore-AADInt'
49            - 'Search-AADInt'
50            - 'Send-AADInt'
51            - 'Set-AADInt'
52            - 'Start-AADInt'
53            - 'Update-AADInt'
54    condition: all of selection_*
55falsepositives:
56    - Legitimate use of the library for administrative activity
57level: high

References

Related rules

to-top