Date: 02/18/2025
Severity: High
Summary
Detects the execution of AADInternals Cmdlet, a tool used for administering Azure AD and Office 365. Threat actors can exploit this tool to target Azure AD or Office 365 environments for malicious activities.
Indicators of Compromise (IOC) List
Image : | '\powershell.exe' '\powershell_ise.exe' '\pwsh.exe' |
OriginalFileName : | - 'PowerShell.Exe' - 'pwsh.dll' |
CommandLine : | - 'Add-AADInt' - 'ConvertTo-AADInt' - 'Disable-AADInt' - 'Enable-AADInt' - 'Export-AADInt' - 'Find-AADInt' - 'Get-AADInt' - 'Grant-AADInt' - 'Initialize-AADInt' - 'Install-AADInt' - 'Invoke-AADInt' - 'Join-AADInt' - 'New-AADInt' - 'Open-AADInt' - 'Read-AADInt' - 'Register-AADInt' - 'Remove-AADInt' - 'Reset-AADInt' - 'Resolve-AADInt' - 'Restore-AADInt' - 'Save-AADInt' - 'Search-AADInt' - 'Send-AADInt' - 'Set-AADInt' - 'Start-AADInt' - 'Unprotect-AADInt' - 'Update-AADInt' |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query : | (resourcename = "Windows Security" AND eventtype = "4688" ) AND (image like "powershell.exe" or image like "powershell_ise.exe" or image like "pwsh.exe") AND (originalfilename like "PowerShell.Exe" or originalfilename like "pwsh.dll") AND (commandline like "Add-AADInt" or commandline like "ConvertTo-AADInt" or commandline like "Disable-AADInt" or commandline like "Enable-AADInt" or commandline like "Export-AADInt" or commandline like "Find-AADInt" or commandline like "Get-AADInt" or commandline like "Grant-AADInt" or commandline like "Initialize-AADInt" or commandline like "Initialize-AADInt" or commandline like "Install-AADInt" or commandline like "Invoke-AADInt" or commandline like "Join-AADInt" or commandline like "Join-AADInt" or commandline like "'New-AADInt" or commandline like "Open-AADInt" or commandline like "Read-AADInt" or commandline like "Register-AADInt" or commandline like "Remove-AADInt" or commandline like "Reset-AADInt" or commandline like "Resolve-AADInt" or commandline like "Restore-AADInt" or commandline like "Save-AADInt" or commandline like "Search-AADInt" or commandline like "Send-AADInt" or commandline like "Set-AADInt" or commandline like "Start-AADInt" or commandline like "Unprotect-AADInt" or commandline like "Update-AADInt" ) |
Detection Query : | (technologygroup = "EDR" ) AND (image like "powershell.exe" or image like "powershell_ise.exe" or image like "pwsh.exe") AND (originalfilename like "PowerShell.Exe" or originalfilename like "pwsh.dll") AND (commandline like "Add-AADInt" or commandline like "ConvertTo-AADInt" or commandline like "Disable-AADInt" or commandline like "Enable-AADInt" or commandline like "Export-AADInt" or commandline like "Find-AADInt" or commandline like "Get-AADInt" or commandline like "Grant-AADInt" or commandline like "Initialize-AADInt" or commandline like "Initialize-AADInt" or commandline like "Install-AADInt" or commandline like "Invoke-AADInt" or commandline like "Join-AADInt" or commandline like "Join-AADInt" or commandline like "'New-AADInt" or commandline like "Open-AADInt" or commandline like "Read-AADInt" or commandline like "Register-AADInt" or commandline like "Remove-AADInt" or commandline like "Reset-AADInt" or commandline like "Resolve-AADInt" or commandline like "Restore-AADInt" or commandline like "Save-AADInt" or commandline like "Search-AADInt" or commandline like "Send-AADInt" or commandline like "Set-AADInt" or commandline like "Start-AADInt" or commandline like "Unprotect-AADInt" or commandline like "Update-AADInt" ) |
Reference:
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_powershell_aadinternals_cmdlets_execution.yml