Sigma rules for AADInternals
2 rules · scoped to tool · back to AADInternals
Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.
title: AADInternals PowerShell Cmdlets Execution - PsScript
id: 91e69562-2426-42ce-a647-711b8152ced6
related:
- id: c86500e9-a645-4680-98d7-f882c70c1ea3
type: similar
status: test
description: Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365.
references:
- https://o365blog.com/aadinternals/
- https://github.com/Gerenios/AADInternals
author: Austin Songer (@austinsonger), Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2022-12-23
modified: 2025-02-06
tags:
- attack.execution
- attack.reconnaissance
- attack.discovery
- attack.credential-access
- attack.impact
logsource:
product: windows
category: ps_script
definition: Script Block Logging must be enable
detection:
selection:
ScriptBlockText|contains:
# Since most of the cmdlets use a unique enough string which is "-AADInt" we only used that portion. For a complete list please check the references linked above
- 'Add-AADInt'
- 'ConvertTo-AADInt'
- 'Disable-AADInt'
- 'Enable-AADInt'
- 'Export-AADInt'
- 'Find-AADInt'
- 'Get-AADInt'
- 'Grant-AADInt'
- 'Initialize-AADInt'
- 'Install-AADInt'
- 'Invoke-AADInt'
- 'Join-AADInt'
- 'New-AADInt'
- 'Open-AADInt'
- 'Read-AADInt'
- 'Register-AADInt'
- 'Remove-AADInt'
- 'Reset-AADInt'
- 'Resolve-AADInt'
- 'Restore-AADInt'
- 'Save-AADInt'
- 'Search-AADInt'
- 'Send-AADInt'
- 'Set-AADInt'
- 'Start-AADInt'
- 'Unprotect-AADInt'
- 'Update-AADInt'
condition: selection
falsepositives:
- Legitimate use of the library for administrative activity
level: high
title: AADInternals PowerShell Cmdlets Execution - ProccessCreation
id: c86500e9-a645-4680-98d7-f882c70c1ea3
related:
- id: 91e69562-2426-42ce-a647-711b8152ced6
type: similar
status: test
description: Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365.
references:
- https://o365blog.com/aadinternals/
- https://github.com/Gerenios/AADInternals
author: Austin Songer (@austinsonger), Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2022-12-23
modified: 2025-02-06
tags:
- attack.execution
- attack.reconnaissance
- attack.discovery
- attack.credential-access
- attack.impact
logsource:
product: windows
category: process_creation
detection:
selection_img:
- Image|endswith:
- '\powershell.exe'
- '\powershell_ise.exe'
- '\pwsh.exe'
- OriginalFileName:
- 'PowerShell.Exe'
- 'pwsh.dll'
selection_cli:
CommandLine|contains:
# Since most of the cmdlets use a unique enough string which is "-AADInt" we only used that portion. For a complete list please check the references linked above
- 'Add-AADInt'
- 'ConvertTo-AADInt'
- 'Disable-AADInt'
- 'Enable-AADInt'
- 'Export-AADInt'
- 'Find-AADInt'
- 'Get-AADInt'
- 'Grant-AADInt'
- 'Initialize-AADInt'
- 'Install-AADInt'
- 'Invoke-AADInt'
- 'Join-AADInt'
- 'New-AADInt'
- 'Open-AADInt'
- 'Read-AADInt'
- 'Register-AADInt'
- 'Remove-AADInt'
- 'Reset-AADInt'
- 'Resolve-AADInt'
- 'Restore-AADInt'
- 'Save-AADInt'
- 'Search-AADInt'
- 'Send-AADInt'
- 'Set-AADInt'
- 'Start-AADInt'
- 'Unprotect-AADInt'
- 'Update-AADInt'
condition: all of selection_*
falsepositives:
- Legitimate use of the library for administrative activity
level: high