DSInternals Suspicious PowerShell Cmdlets
Detects execution and usage of the DSInternals PowerShell module. Which can be used to perform what might be considered as suspicious activity such as dumping DPAPI backup keys or manipulating NTDS.DIT files. The DSInternals PowerShell Module exposes several internal features of Active Directory and Azure Active Directory. These include FIDO2 and NGC key auditing, offline ntds.dit file manipulation, password auditing, DC recovery from IFM backups and password hash calculation.
Sigma rule (View on GitHub)
1title: DSInternals Suspicious PowerShell Cmdlets
2id: 43d91656-a9b2-4541-b7e2-6a9bd3a13f4e
3related:
4 - id: 846c7a87-8e14-4569-9d49-ecfd4276a01c
5 type: similar
6status: experimental
7description: |
8 Detects execution and usage of the DSInternals PowerShell module. Which can be used to perform what might be considered as suspicious activity such as dumping DPAPI backup keys or manipulating NTDS.DIT files.
9 The DSInternals PowerShell Module exposes several internal features of Active Directory and Azure Active Directory. These include FIDO2 and NGC key auditing, offline ntds.dit file manipulation, password auditing, DC recovery from IFM backups and password hash calculation.
10references:
11 - https://github.com/MichaelGrafnetter/DSInternals/blob/39ee8a69bbdc1cfd12c9afdd7513b4788c4895d4/Src/DSInternals.PowerShell/DSInternals.psd1
12author: Nasreddine Bencherchali (Nextron Systems), Nounou Mbeiri
13date: 2024-06-26
14tags:
15 - attack.execution
16 - attack.t1059.001
17logsource:
18 product: windows
19 category: process_creation
20detection:
21 selection:
22 CommandLine|contains:
23 - 'Add-ADDBSidHistory'
24 - 'Add-ADNgcKey'
25 - 'Add-ADReplNgcKey'
26 - 'ConvertFrom-ADManagedPasswordBlob'
27 - 'ConvertFrom-GPPrefPassword'
28 - 'ConvertFrom-ManagedPasswordBlob'
29 - 'ConvertFrom-UnattendXmlPassword'
30 - 'ConvertFrom-UnicodePassword'
31 - 'ConvertTo-AADHash'
32 - 'ConvertTo-GPPrefPassword'
33 - 'ConvertTo-KerberosKey'
34 - 'ConvertTo-LMHash'
35 - 'ConvertTo-MsoPasswordHash'
36 - 'ConvertTo-NTHash'
37 - 'ConvertTo-OrgIdHash'
38 - 'ConvertTo-UnicodePassword'
39 - 'Disable-ADDBAccount'
40 - 'Enable-ADDBAccount'
41 - 'Get-ADDBAccount'
42 - 'Get-ADDBBackupKey'
43 - 'Get-ADDBDomainController'
44 - 'Get-ADDBGroupManagedServiceAccount'
45 - 'Get-ADDBKdsRootKey'
46 - 'Get-ADDBSchemaAttribute'
47 - 'Get-ADDBServiceAccount'
48 - 'Get-ADDefaultPasswordPolicy'
49 - 'Get-ADKeyCredential' # Covers 'Get-ADKeyCredentialLink'
50 - 'Get-ADPasswordPolicy'
51 - 'Get-ADReplAccount'
52 - 'Get-ADReplBackupKey'
53 - 'Get-ADReplicationAccount'
54 - 'Get-ADSIAccount'
55 - 'Get-AzureADUserEx'
56 - 'Get-BootKey'
57 - 'Get-KeyCredential'
58 - 'Get-LsaBackupKey'
59 - 'Get-LsaPolicy' # Covers 'Get-LsaPolicyInformation'
60 - 'Get-SamPasswordPolicy'
61 - 'Get-SysKey'
62 - 'Get-SystemKey'
63 - 'New-ADDBRestoreFromMediaScript'
64 - 'New-ADKeyCredential' # Covers 'New-ADKeyCredentialLink'
65 - 'New-ADNgcKey'
66 - 'New-NTHashSet'
67 - 'Remove-ADDBObject'
68 - 'Save-DPAPIBlob'
69 - 'Set-ADAccountPasswordHash'
70 - 'Set-ADDBAccountPassword' # Covers 'Set-ADDBAccountPasswordHash'
71 - 'Set-ADDBBootKey'
72 - 'Set-ADDBDomainController'
73 - 'Set-ADDBPrimaryGroup'
74 - 'Set-ADDBSysKey'
75 - 'Set-AzureADUserEx'
76 - 'Set-LsaPolicy' # Covers 'Set-LSAPolicyInformation'
77 - 'Set-SamAccountPasswordHash'
78 - 'Set-WinUserPasswordHash'
79 - 'Test-ADDBPasswordQuality'
80 - 'Test-ADPasswordQuality'
81 - 'Test-ADReplPasswordQuality'
82 - 'Test-PasswordQuality'
83 - 'Unlock-ADDBAccount'
84 - 'Write-ADNgcKey'
85 - 'Write-ADReplNgcKey'
86 condition: selection
87falsepositives:
88 - Legitimate usage of DSInternals for administration or audit purpose.
89level: high
References
-
Directory Services Internals (DSInternals) PowerShell Module and Framework - MichaelGrafnetter/DSInternals
Read More
Related rules
- AWS EC2 Startup Shell Script Change
- Alternate PowerShell Hosts - PowerShell Module
- Bad Opsec Powershell Code Artifacts
- BloodHound Collection Files
- Certificate Exported Via PowerShell