Detection rules › Sigma
DSInternals Suspicious PowerShell Cmdlets
Detects execution and usage of the DSInternals PowerShell module. Which can be used to perform what might be considered as suspicious activity such as dumping DPAPI backup keys or manipulating NTDS.DIT files. The DSInternals PowerShell Module exposes several internal features of Active Directory and Azure Active Directory. These include FIDO2 and NGC key auditing, offline ntds.dit file manipulation, password auditing, DC recovery from IFM backups and password hash calculation.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Execution | T1059.001 Command and Scripting Interpreter: PowerShell |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 1 | Process creation |
| Security-Auditing | 4688 | A new process has been created. |
Stages and Predicates
Stage 1: selection
or:
CommandLine|contains: Add-ADDBSidHistory
CommandLine|contains: Add-ADNgcKey
CommandLine|contains: Add-ADReplNgcKey
CommandLine|contains: 'ConvertFrom-ADManagedPasswordBlob'
CommandLine|contains: ConvertFrom-GPPrefPassword
CommandLine|contains: ConvertFrom-ManagedPasswordBlob
CommandLine|contains: ConvertFrom-UnattendXmlPassword
CommandLine|contains: ConvertFrom-UnicodePassword
CommandLine|contains: ConvertTo-AADHash
CommandLine|contains: ConvertTo-GPPrefPassword
CommandLine|contains: ConvertTo-KerberosKey
CommandLine|contains: ConvertTo-LMHash
CommandLine|contains: ConvertTo-MsoPasswordHash
CommandLine|contains: ConvertTo-NTHash
CommandLine|contains: ConvertTo-OrgIdHash
CommandLine|contains: ConvertTo-UnicodePassword
CommandLine|contains: Disable-ADDBAccount
CommandLine|contains: Enable-ADDBAccount
CommandLine|contains: Get-ADDBAccount
CommandLine|contains: Get-ADDBBackupKey
CommandLine|contains: Get-ADDBDomainController
CommandLine|contains: 'Get-ADDBGroupManagedServiceAccount'
CommandLine|contains: Get-ADDBKdsRootKey
CommandLine|contains: Get-ADDBSchemaAttribute
CommandLine|contains: Get-ADDBServiceAccount
CommandLine|contains: Get-ADDefaultPasswordPolicy
CommandLine|contains: Get-ADKeyCredential
CommandLine|contains: Get-ADPasswordPolicy
CommandLine|contains: Get-ADReplAccount
CommandLine|contains: Get-ADReplBackupKey
CommandLine|contains: Get-ADReplicationAccount
CommandLine|contains: Get-ADSIAccount
CommandLine|contains: Get-AzureADUserEx
CommandLine|contains: Get-BootKey
CommandLine|contains: Get-KeyCredential
CommandLine|contains: Get-LsaBackupKey
CommandLine|contains: Get-LsaPolicy
CommandLine|contains: Get-SamPasswordPolicy
CommandLine|contains: Get-SysKey
CommandLine|contains: Get-SystemKey
CommandLine|contains: New-ADDBRestoreFromMediaScript
CommandLine|contains: New-ADKeyCredential
CommandLine|contains: New-ADNgcKey
CommandLine|contains: New-NTHashSet
CommandLine|contains: Remove-ADDBObject
CommandLine|contains: Save-DPAPIBlob
CommandLine|contains: Set-ADAccountPasswordHash
CommandLine|contains: Set-ADDBAccountPassword
CommandLine|contains: Set-ADDBBootKey
CommandLine|contains: Set-ADDBDomainController
CommandLine|contains: Set-ADDBPrimaryGroup
CommandLine|contains: Set-ADDBSysKey
CommandLine|contains: Set-AzureADUserEx
CommandLine|contains: Set-LsaPolicy
CommandLine|contains: Set-SamAccountPasswordHash
CommandLine|contains: Set-WinUserPasswordHash
CommandLine|contains: Test-ADDBPasswordQuality
CommandLine|contains: Test-ADPasswordQuality
CommandLine|contains: Test-ADReplPasswordQuality
CommandLine|contains: Test-PasswordQuality
CommandLine|contains: Unlock-ADDBAccount
CommandLine|contains: Write-ADNgcKey
CommandLine|contains: Write-ADReplNgcKey
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
CommandLine | match |
|