Potential Active Directory Enumeration Using AD Module - ProcCreation
Detects usage of the "Import-Module" cmdlet to load the "Microsoft.ActiveDirectory.Management.dl" DLL. Which is often used by attackers to perform AD enumeration.
Sigma rule (View on GitHub)
1title: Potential Active Directory Enumeration Using AD Module - ProcCreation
2id: 70bc5215-526f-4477-963c-a47a5c9ebd12
3related:
4 - id: 9e620995-f2d8-4630-8430-4afd89f77604
5 type: similar
6 - id: 74176142-4684-4d8a-8b0a-713257e7df8e
7 type: similar
8status: test
9description: Detects usage of the "Import-Module" cmdlet to load the "Microsoft.ActiveDirectory.Management.dl" DLL. Which is often used by attackers to perform AD enumeration.
10references:
11 - https://github.com/samratashok/ADModule
12 - https://twitter.com/cyb3rops/status/1617108657166061568?s=20
13 - https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-enumeration-with-ad-module-without-rsat-or-admin-privileges
14author: frack113
15date: 2023-01-22
16tags:
17 - attack.reconnaissance
18 - attack.discovery
19 - attack.impact
20logsource:
21 product: windows
22 category: process_creation
23detection:
24 selection_img:
25 - Image|endswith:
26 - '\powershell.exe'
27 - '\pwsh.exe'
28 - OriginalFileName:
29 - 'PowerShell.EXE'
30 - 'pwsh.dll'
31 selection_cmdlet:
32 CommandLine|contains:
33 - 'Import-Module '
34 - 'ipmo '
35 selection_dll:
36 CommandLine|contains: 'Microsoft.ActiveDirectory.Management.dll'
37 condition: all of selection_*
38falsepositives:
39 - Legitimate use of the library for administrative activity
40level: medium
References
Related rules
- AADInternals PowerShell Cmdlets Execution - ProccessCreation
- AADInternals PowerShell Cmdlets Execution - PsScript
- Potential Active Directory Enumeration Using AD Module - PsModule
- Potential Active Directory Enumeration Using AD Module - PsScript
- Bitbucket User Details Export Attempt Detected