EXPLORE
Sign In
← Back to Explore
sigmahighHunting

AADInternals PowerShell Cmdlets Execution - PsScript

Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365.

Detection Query

selection:
  ScriptBlockText|contains:
    - Add-AADInt
    - ConvertTo-AADInt
    - Disable-AADInt
    - Enable-AADInt
    - Export-AADInt
    - Find-AADInt
    - Get-AADInt
    - Grant-AADInt
    - Initialize-AADInt
    - Install-AADInt
    - Invoke-AADInt
    - Join-AADInt
    - New-AADInt
    - Open-AADInt
    - Read-AADInt
    - Register-AADInt
    - Remove-AADInt
    - Reset-AADInt
    - Resolve-AADInt
    - Restore-AADInt
    - Save-AADInt
    - Search-AADInt
    - Send-AADInt
    - Set-AADInt
    - Start-AADInt
    - Unprotect-AADInt
    - Update-AADInt
condition: selection

Author

Austin Songer (@austinsonger), Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems)

Created

2022-12-23

Data Sources

windowsps_script

Platforms

windows

References

Tags

attack.executionattack.reconnaissanceattack.discoveryattack.credential-accessattack.impact
Raw Content
title: AADInternals PowerShell Cmdlets Execution - PsScript
id: 91e69562-2426-42ce-a647-711b8152ced6
related:
    - id: c86500e9-a645-4680-98d7-f882c70c1ea3
      type: similar
status: test
description: Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365.
references:
    - https://o365blog.com/aadinternals/
    - https://github.com/Gerenios/AADInternals
author: Austin Songer (@austinsonger), Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2022-12-23
modified: 2025-02-06
tags:
    - attack.execution
    - attack.reconnaissance
    - attack.discovery
    - attack.credential-access
    - attack.impact
logsource:
    product: windows
    category: ps_script
    definition: Script Block Logging must be enable
detection:
    selection:
        ScriptBlockText|contains:
            # Since most of the cmdlets use a unique enough string which is "-AADInt" we only used that portion. For a complete list please check the references linked above
            - 'Add-AADInt'
            - 'ConvertTo-AADInt'
            - 'Disable-AADInt'
            - 'Enable-AADInt'
            - 'Export-AADInt'
            - 'Find-AADInt'
            - 'Get-AADInt'
            - 'Grant-AADInt'
            - 'Initialize-AADInt'
            - 'Install-AADInt'
            - 'Invoke-AADInt'
            - 'Join-AADInt'
            - 'New-AADInt'
            - 'Open-AADInt'
            - 'Read-AADInt'
            - 'Register-AADInt'
            - 'Remove-AADInt'
            - 'Reset-AADInt'
            - 'Resolve-AADInt'
            - 'Restore-AADInt'
            - 'Save-AADInt'
            - 'Search-AADInt'
            - 'Send-AADInt'
            - 'Set-AADInt'
            - 'Start-AADInt'
            - 'Unprotect-AADInt'
            - 'Update-AADInt'
    condition: selection
falsepositives:
    - Legitimate use of the library for administrative activity
level: high