EXPLORE
Sign In
← Back to Explore
sigmahighHunting

AADInternals PowerShell Cmdlets Execution - ProccessCreation

Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365.

Detection Query

selection_img:
  - Image|endswith:
      - \powershell.exe
      - \powershell_ise.exe
      - \pwsh.exe
  - OriginalFileName:
      - PowerShell.Exe
      - pwsh.dll
selection_cli:
  CommandLine|contains:
    - Add-AADInt
    - ConvertTo-AADInt
    - Disable-AADInt
    - Enable-AADInt
    - Export-AADInt
    - Find-AADInt
    - Get-AADInt
    - Grant-AADInt
    - Initialize-AADInt
    - Install-AADInt
    - Invoke-AADInt
    - Join-AADInt
    - New-AADInt
    - Open-AADInt
    - Read-AADInt
    - Register-AADInt
    - Remove-AADInt
    - Reset-AADInt
    - Resolve-AADInt
    - Restore-AADInt
    - Save-AADInt
    - Search-AADInt
    - Send-AADInt
    - Set-AADInt
    - Start-AADInt
    - Unprotect-AADInt
    - Update-AADInt
condition: all of selection_*

Author

Austin Songer (@austinsonger), Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems)

Created

2022-12-23

Data Sources

windowsProcess Creation Events

Platforms

windows

References

Tags

attack.executionattack.reconnaissanceattack.discoveryattack.credential-accessattack.impact
Raw Content
title: AADInternals PowerShell Cmdlets Execution - ProccessCreation
id: c86500e9-a645-4680-98d7-f882c70c1ea3
related:
    - id: 91e69562-2426-42ce-a647-711b8152ced6
      type: similar
status: test
description: Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365.
references:
    - https://o365blog.com/aadinternals/
    - https://github.com/Gerenios/AADInternals
author: Austin Songer (@austinsonger), Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2022-12-23
modified: 2025-02-06
tags:
    - attack.execution
    - attack.reconnaissance
    - attack.discovery
    - attack.credential-access
    - attack.impact
logsource:
    product: windows
    category: process_creation
detection:
    selection_img:
        - Image|endswith:
              - '\powershell.exe'
              - '\powershell_ise.exe'
              - '\pwsh.exe'
        - OriginalFileName:
              - 'PowerShell.Exe'
              - 'pwsh.dll'
    selection_cli:
        CommandLine|contains:
            # Since most of the cmdlets use a unique enough string which is "-AADInt" we only used that portion. For a complete list please check the references linked above
            - 'Add-AADInt'
            - 'ConvertTo-AADInt'
            - 'Disable-AADInt'
            - 'Enable-AADInt'
            - 'Export-AADInt'
            - 'Find-AADInt'
            - 'Get-AADInt'
            - 'Grant-AADInt'
            - 'Initialize-AADInt'
            - 'Install-AADInt'
            - 'Invoke-AADInt'
            - 'Join-AADInt'
            - 'New-AADInt'
            - 'Open-AADInt'
            - 'Read-AADInt'
            - 'Register-AADInt'
            - 'Remove-AADInt'
            - 'Reset-AADInt'
            - 'Resolve-AADInt'
            - 'Restore-AADInt'
            - 'Save-AADInt'
            - 'Search-AADInt'
            - 'Send-AADInt'
            - 'Set-AADInt'
            - 'Start-AADInt'
            - 'Unprotect-AADInt'
            - 'Update-AADInt'
    condition: all of selection_*
falsepositives:
    - Legitimate use of the library for administrative activity
level: high