Detection rules › Sigma

AADInternals PowerShell Cmdlets Execution - ProccessCreation

Status
test
Severity
high
Author
Austin Songer (@austinsonger), Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems)
Source
github.com/SigmaHQ/sigma

Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365.

Event coverage

ProviderEventTitle
SysmonEvent ID 1Process creation

Rule body yaml

title: AADInternals PowerShell Cmdlets Execution - ProccessCreation
id: c86500e9-a645-4680-98d7-f882c70c1ea3
related:
    - id: 91e69562-2426-42ce-a647-711b8152ced6
      type: similar
status: test
description: Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365.
references:
    - https://o365blog.com/aadinternals/
    - https://github.com/Gerenios/AADInternals
author: Austin Songer (@austinsonger), Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2022-12-23
modified: 2025-02-06
tags:
    - attack.execution
    - attack.reconnaissance
    - attack.discovery
    - attack.credential-access
    - attack.impact
logsource:
    product: windows
    category: process_creation
detection:
    selection_img:
        - Image|endswith:
              - '\powershell.exe'
              - '\powershell_ise.exe'
              - '\pwsh.exe'
        - OriginalFileName:
              - 'PowerShell.Exe'
              - 'pwsh.dll'
    selection_cli:
        CommandLine|contains:
            # Since most of the cmdlets use a unique enough string which is "-AADInt" we only used that portion. For a complete list please check the references linked above
            - 'Add-AADInt'
            - 'ConvertTo-AADInt'
            - 'Disable-AADInt'
            - 'Enable-AADInt'
            - 'Export-AADInt'
            - 'Find-AADInt'
            - 'Get-AADInt'
            - 'Grant-AADInt'
            - 'Initialize-AADInt'
            - 'Install-AADInt'
            - 'Invoke-AADInt'
            - 'Join-AADInt'
            - 'New-AADInt'
            - 'Open-AADInt'
            - 'Read-AADInt'
            - 'Register-AADInt'
            - 'Remove-AADInt'
            - 'Reset-AADInt'
            - 'Resolve-AADInt'
            - 'Restore-AADInt'
            - 'Save-AADInt'
            - 'Search-AADInt'
            - 'Send-AADInt'
            - 'Set-AADInt'
            - 'Start-AADInt'
            - 'Unprotect-AADInt'
            - 'Update-AADInt'
    condition: all of selection_*
falsepositives:
    - Legitimate use of the library for administrative activity
level: high

Stages and Predicates

Stage 0: condition

all of selection_*

Stage 1: selection_img

selection_img:
    - Image|endswith:
          - '\powershell.exe'
          - '\powershell_ise.exe'
          - '\pwsh.exe'
    - OriginalFileName:
          - 'PowerShell.Exe'
          - 'pwsh.dll'

Stage 2: selection_cli

selection_cli:
    CommandLine|contains:
        # Since most of the cmdlets use a unique enough string which is "-AADInt" we only used that portion. For a complete list please check the references linked above
        - 'Add-AADInt'
        - 'ConvertTo-AADInt'
        - 'Disable-AADInt'
        - 'Enable-AADInt'
        - 'Export-AADInt'
        - 'Find-AADInt'
        - 'Get-AADInt'
        - 'Grant-AADInt'
        - 'Initialize-AADInt'
        - 'Install-AADInt'
        - 'Invoke-AADInt'
        - 'Join-AADInt'
        - 'New-AADInt'
        - 'Open-AADInt'
        - 'Read-AADInt'
        - 'Register-AADInt'
        - 'Remove-AADInt'
        - 'Reset-AADInt'
        - 'Resolve-AADInt'
        - 'Restore-AADInt'
        - 'Save-AADInt'
        - 'Search-AADInt'
        - 'Send-AADInt'
        - 'Set-AADInt'
        - 'Start-AADInt'
        - 'Unprotect-AADInt'
        - 'Update-AADInt'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
CommandLinematch
  • Add-AADInt
  • ConvertTo-AADInt
  • Disable-AADInt
  • Enable-AADInt
  • Export-AADInt
  • Find-AADInt
  • Get-AADInt
  • Grant-AADInt
  • Initialize-AADInt
  • Install-AADInt
  • Invoke-AADInt
  • Join-AADInt
  • New-AADInt
  • Open-AADInt
  • Read-AADInt
  • Register-AADInt
  • Remove-AADInt
  • Reset-AADInt
  • Resolve-AADInt
  • Restore-AADInt
  • Save-AADInt
  • Search-AADInt
  • Send-AADInt
  • Set-AADInt
  • Start-AADInt
  • Unprotect-AADInt
  • Update-AADInt
Imageends_with
  • \powershell.exe corpus 186 (sigma 186)
  • \powershell_ise.exe corpus 42 (sigma 42)
  • \pwsh.exe corpus 172 (sigma 172)
OriginalFileNameeq
  • PowerShell.Exe corpus 121 (sigma 85, splunk 30, elastic 6)
  • pwsh.dll corpus 112 (sigma 79, splunk 30, elastic 3)