Detection rules › Sigma
AADInternals PowerShell Cmdlets Execution - ProccessCreation
Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Reconnaissance | No specific technique |
| Execution | No specific technique |
| Credential Access | No specific technique |
| Discovery | No specific technique |
| Impact | No specific technique |
Event coverage
| Provider | Event | Title |
|---|---|---|
| Sysmon | Event ID 1 | Process creation |
Rule body yaml
title: AADInternals PowerShell Cmdlets Execution - ProccessCreation
id: c86500e9-a645-4680-98d7-f882c70c1ea3
related:
- id: 91e69562-2426-42ce-a647-711b8152ced6
type: similar
status: test
description: Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365.
references:
- https://o365blog.com/aadinternals/
- https://github.com/Gerenios/AADInternals
author: Austin Songer (@austinsonger), Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2022-12-23
modified: 2025-02-06
tags:
- attack.execution
- attack.reconnaissance
- attack.discovery
- attack.credential-access
- attack.impact
logsource:
product: windows
category: process_creation
detection:
selection_img:
- Image|endswith:
- '\powershell.exe'
- '\powershell_ise.exe'
- '\pwsh.exe'
- OriginalFileName:
- 'PowerShell.Exe'
- 'pwsh.dll'
selection_cli:
CommandLine|contains:
# Since most of the cmdlets use a unique enough string which is "-AADInt" we only used that portion. For a complete list please check the references linked above
- 'Add-AADInt'
- 'ConvertTo-AADInt'
- 'Disable-AADInt'
- 'Enable-AADInt'
- 'Export-AADInt'
- 'Find-AADInt'
- 'Get-AADInt'
- 'Grant-AADInt'
- 'Initialize-AADInt'
- 'Install-AADInt'
- 'Invoke-AADInt'
- 'Join-AADInt'
- 'New-AADInt'
- 'Open-AADInt'
- 'Read-AADInt'
- 'Register-AADInt'
- 'Remove-AADInt'
- 'Reset-AADInt'
- 'Resolve-AADInt'
- 'Restore-AADInt'
- 'Save-AADInt'
- 'Search-AADInt'
- 'Send-AADInt'
- 'Set-AADInt'
- 'Start-AADInt'
- 'Unprotect-AADInt'
- 'Update-AADInt'
condition: all of selection_*
falsepositives:
- Legitimate use of the library for administrative activity
level: high
Stages and Predicates
Stage 0: condition
all of selection_*Stage 1: selection_img
selection_img:
- Image|endswith:
- '\powershell.exe'
- '\powershell_ise.exe'
- '\pwsh.exe'
- OriginalFileName:
- 'PowerShell.Exe'
- 'pwsh.dll'
Stage 2: selection_cli
selection_cli:
CommandLine|contains:
- 'Add-AADInt'
- 'ConvertTo-AADInt'
- 'Disable-AADInt'
- 'Enable-AADInt'
- 'Export-AADInt'
- 'Find-AADInt'
- 'Get-AADInt'
- 'Grant-AADInt'
- 'Initialize-AADInt'
- 'Install-AADInt'
- 'Invoke-AADInt'
- 'Join-AADInt'
- 'New-AADInt'
- 'Open-AADInt'
- 'Read-AADInt'
- 'Register-AADInt'
- 'Remove-AADInt'
- 'Reset-AADInt'
- 'Resolve-AADInt'
- 'Restore-AADInt'
- 'Save-AADInt'
- 'Search-AADInt'
- 'Send-AADInt'
- 'Set-AADInt'
- 'Start-AADInt'
- 'Unprotect-AADInt'
- 'Update-AADInt'
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
CommandLine | match |
|
Image | ends_with |
|
OriginalFileName | eq |
|