sigmaDRL-1.1from SigmaHQ/sigma

Potential Active Directory Enumeration Using AD Module - ProcCreation

Detects usage of the "Import-Module" cmdlet to load the "Microsoft.ActiveDirectory.Management.dl" DLL. Which is often used by attackers to perform AD enumeration.

Quality

FP risk

—

Forks

Views

Rule sourcerules/windows/process_creation/proc_creation_win_powershell_active_directory_module_dll_import.yml

title: Potential Active Directory Enumeration Using AD Module - ProcCreation
id: 70bc5215-526f-4477-963c-a47a5c9ebd12
related:
    - id: 9e620995-f2d8-4630-8430-4afd89f77604
      type: similar
    - id: 74176142-4684-4d8a-8b0a-713257e7df8e
      type: similar
status: test
description: Detects usage of the "Import-Module" cmdlet to load the "Microsoft.ActiveDirectory.Management.dl" DLL. Which is often used by attackers to perform AD enumeration.
references:
    - https://github.com/samratashok/ADModule
    - https://twitter.com/cyb3rops/status/1617108657166061568?s=20
    - https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-enumeration-with-ad-module-without-rsat-or-admin-privileges
author: frack113
date: 2023-01-22
tags:
    - attack.reconnaissance
    - attack.discovery
    - attack.impact
logsource:
    product: windows
    category: process_creation
detection:
    selection_img:
        - Image|endswith:
              - '\powershell.exe'
              - '\pwsh.exe'
        - OriginalFileName:
              - 'PowerShell.EXE'
              - 'pwsh.dll'
    selection_cmdlet:
        CommandLine|contains:
            - 'Import-Module '
            - 'ipmo '
    selection_dll:
        CommandLine|contains: 'Microsoft.ActiveDirectory.Management.dll'
    condition: all of selection_*
falsepositives:
    - Legitimate use of the library for administrative activity
level: medium