← Back to Explore
sigmamediumHunting
Potential Active Directory Enumeration Using AD Module - ProcCreation
Detects usage of the "Import-Module" cmdlet to load the "Microsoft.ActiveDirectory.Management.dl" DLL. Which is often used by attackers to perform AD enumeration.
Detection Query
selection_img:
- Image|endswith:
- \powershell.exe
- \pwsh.exe
- OriginalFileName:
- PowerShell.EXE
- pwsh.dll
selection_cmdlet:
CommandLine|contains:
- "Import-Module "
- "ipmo "
selection_dll:
CommandLine|contains: Microsoft.ActiveDirectory.Management.dll
condition: all of selection_*
Author
frack113
Created
2023-01-22
Data Sources
windowsProcess Creation Events
Platforms
windows
References
Tags
attack.reconnaissanceattack.discoveryattack.impact
Raw Content
title: Potential Active Directory Enumeration Using AD Module - ProcCreation
id: 70bc5215-526f-4477-963c-a47a5c9ebd12
related:
- id: 9e620995-f2d8-4630-8430-4afd89f77604
type: similar
- id: 74176142-4684-4d8a-8b0a-713257e7df8e
type: similar
status: test
description: Detects usage of the "Import-Module" cmdlet to load the "Microsoft.ActiveDirectory.Management.dl" DLL. Which is often used by attackers to perform AD enumeration.
references:
- https://github.com/samratashok/ADModule
- https://twitter.com/cyb3rops/status/1617108657166061568?s=20
- https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-enumeration-with-ad-module-without-rsat-or-admin-privileges
author: frack113
date: 2023-01-22
tags:
- attack.reconnaissance
- attack.discovery
- attack.impact
logsource:
product: windows
category: process_creation
detection:
selection_img:
- Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
- OriginalFileName:
- 'PowerShell.EXE'
- 'pwsh.dll'
selection_cmdlet:
CommandLine|contains:
- 'Import-Module '
- 'ipmo '
selection_dll:
CommandLine|contains: 'Microsoft.ActiveDirectory.Management.dll'
condition: all of selection_*
falsepositives:
- Legitimate use of the library for administrative activity
level: medium