From 1de2b1c30fddca873254fc18a96eacf2ece37c1a Mon Sep 17 00:00:00 2001 From: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com> Date: Mon, 17 Feb 2025 16:56:55 +0545 Subject: [PATCH] Merge PR #5186 from @swachchhanda000 - Increase coverage of AADinternals rules update: AADInternals PowerShell Cmdlets Execution - PsScript - Add additional strings from the AADinternals framework update: AADInternals PowerShell Cmdlets Execution - ProccessCreation - Add additional strings from the AADinternals framework --- .../posh_ps_aadinternals_cmdlets_execution.yml | 9 ++++++++- ...n_win_powershell_aadinternals_cmdlets_execution.yml | 10 +++++++++- 2 files changed, 17 insertions(+), 2 deletions(-) diff --git a/rules/windows/powershell/powershell_script/posh_ps_aadinternals_cmdlets_execution.yml b/rules/windows/powershell/powershell_script/posh_ps_aadinternals_cmdlets_execution.yml index 1d100d370..06d353f1a 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_aadinternals_cmdlets_execution.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_aadinternals_cmdlets_execution.yml @@ -8,8 +8,9 @@ description: Detects ADDInternals Cmdlet execution. A tool for administering Azu references: - https://o365blog.com/aadinternals/ - https://github.com/Gerenios/AADInternals -author: Austin Songer (@austinsonger), Nasreddine Bencherchali (Nextron Systems) +author: Austin Songer (@austinsonger), Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems) date: 2022-12-23 +modified: 2025-02-06 tags: - attack.execution - attack.reconnaissance @@ -29,8 +30,10 @@ detection: - 'Disable-AADInt' - 'Enable-AADInt' - 'Export-AADInt' + - 'Find-AADInt' - 'Get-AADInt' - 'Grant-AADInt' + - 'Initialize-AADInt' - 'Install-AADInt' - 'Invoke-AADInt' - 'Join-AADInt' @@ -39,11 +42,15 @@ detection: - 'Read-AADInt' - 'Register-AADInt' - 'Remove-AADInt' + - 'Reset-AADInt' + - 'Resolve-AADInt' - 'Restore-AADInt' + - 'Save-AADInt' - 'Search-AADInt' - 'Send-AADInt' - 'Set-AADInt' - 'Start-AADInt' + - 'Unprotect-AADInt' - 'Update-AADInt' condition: selection falsepositives: diff --git a/rules/windows/process_creation/proc_creation_win_powershell_aadinternals_cmdlets_execution.yml b/rules/windows/process_creation/proc_creation_win_powershell_aadinternals_cmdlets_execution.yml index 9fa62c36a..633d307ae 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_aadinternals_cmdlets_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_aadinternals_cmdlets_execution.yml @@ -8,8 +8,9 @@ description: Detects ADDInternals Cmdlet execution. A tool for administering Azu references: - https://o365blog.com/aadinternals/ - https://github.com/Gerenios/AADInternals -author: Austin Songer (@austinsonger), Nasreddine Bencherchali (Nextron Systems) +author: Austin Songer (@austinsonger), Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems) date: 2022-12-23 +modified: 2025-02-06 tags: - attack.execution - attack.reconnaissance @@ -23,6 +24,7 @@ detection: selection_img: - Image|endswith: - '\powershell.exe' + - '\powershell_ise.exe' - '\pwsh.exe' - OriginalFileName: - 'PowerShell.Exe' @@ -35,8 +37,10 @@ detection: - 'Disable-AADInt' - 'Enable-AADInt' - 'Export-AADInt' + - 'Find-AADInt' - 'Get-AADInt' - 'Grant-AADInt' + - 'Initialize-AADInt' - 'Install-AADInt' - 'Invoke-AADInt' - 'Join-AADInt' @@ -45,11 +49,15 @@ detection: - 'Read-AADInt' - 'Register-AADInt' - 'Remove-AADInt' + - 'Reset-AADInt' + - 'Resolve-AADInt' - 'Restore-AADInt' + - 'Save-AADInt' - 'Search-AADInt' - 'Send-AADInt' - 'Set-AADInt' - 'Start-AADInt' + - 'Unprotect-AADInt' - 'Update-AADInt' condition: all of selection_* falsepositives: