detection.wiki

Detection rules › Sigma

AADInternals PowerShell Cmdlets Execution - ProccessCreation

Severity
high
Author
Austin Songer (@austinsonger), Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems)
Source
upstream

Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365.

Event coverage

ProviderEvent IDTitle
Sysmon1Process creation

Stages and Predicates

Stage 1: all of selection_img

or:
Image|endswith: '\powershell.exe'
Image|endswith: '\powershell_ise.exe'
Image|endswith: '\pwsh.exe'
OriginalFileName: PowerShell.Exe
OriginalFileName: pwsh.dll

Stage 2: all of selection_cli

or:
CommandLine|contains: Add-AADInt
CommandLine|contains: ConvertTo-AADInt
CommandLine|contains: Disable-AADInt
CommandLine|contains: Enable-AADInt
CommandLine|contains: Export-AADInt
CommandLine|contains: Find-AADInt
CommandLine|contains: Get-AADInt
CommandLine|contains: Grant-AADInt
CommandLine|contains: Initialize-AADInt
CommandLine|contains: Install-AADInt
CommandLine|contains: Invoke-AADInt
CommandLine|contains: Join-AADInt
CommandLine|contains: New-AADInt
CommandLine|contains: Open-AADInt
CommandLine|contains: Read-AADInt
CommandLine|contains: Register-AADInt
CommandLine|contains: Remove-AADInt
CommandLine|contains: Reset-AADInt
CommandLine|contains: Resolve-AADInt
CommandLine|contains: Restore-AADInt
CommandLine|contains: Save-AADInt
CommandLine|contains: Search-AADInt
CommandLine|contains: Send-AADInt
CommandLine|contains: Set-AADInt
CommandLine|contains: Start-AADInt
CommandLine|contains: Unprotect-AADInt
CommandLine|contains: Update-AADInt

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
CommandLinematch
  • Add-AADInt
  • ConvertTo-AADInt
  • Disable-AADInt
  • Enable-AADInt
  • Export-AADInt
  • Find-AADInt
  • Get-AADInt
  • Grant-AADInt
  • Initialize-AADInt
  • Install-AADInt
  • Invoke-AADInt
  • Join-AADInt
  • New-AADInt
  • Open-AADInt
  • Read-AADInt
  • Register-AADInt
  • Remove-AADInt
  • Reset-AADInt
  • Resolve-AADInt
  • Restore-AADInt
  • Save-AADInt
  • Search-AADInt
  • Send-AADInt
  • Set-AADInt
  • Start-AADInt
  • Unprotect-AADInt
  • Update-AADInt
Imageends_with
  • \powershell.exe corpus 143 (sigma 143)
  • \powershell_ise.exe corpus 27 (sigma 27)
  • \pwsh.exe corpus 140 (sigma 140)
OriginalFileNameeq
  • PowerShell.Exe corpus 2 (sigma 2)
  • pwsh.dll corpus 72 (sigma 68, splunk 4)