security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge PR #5186 from @swachchhanda000 - Increase coverage of AADinternals rules

Browse Source 
update: AADInternals PowerShell Cmdlets Execution - PsScript - Add additional strings from the AADinternals framework
update: AADInternals PowerShell Cmdlets Execution - ProccessCreation - Add additional strings from the AADinternals framework
This commit is contained in:
Swachchhanda Shrawan Poudel
2025-02-17 16:56:55 +05:45
committed by GitHub
parent 0d25ad1855
commit 1de2b1c30f
2 changed files with 17 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/powershell/powershell_script/posh_ps_aadinternals_cmdlets_execution.yml
+8 -1
View File
@@ -8,8 +8,9 @@ description: Detects ADDInternals Cmdlet execution. A tool for administering Azu
references:
- https://o365blog.com/aadinternals/
- https://github.com/Gerenios/AADInternals
author: Austin Songer (@austinsonger), Nasreddine Bencherchali (Nextron Systems)
author: Austin Songer (@austinsonger), Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2022-12-23
modified: 2025-02-06
tags:
- attack.execution
- attack.reconnaissance
@@ -29,8 +30,10 @@ detection:
- 'Disable-AADInt'
- 'Enable-AADInt'
- 'Export-AADInt'
- 'Find-AADInt'
- 'Get-AADInt'
- 'Grant-AADInt'
- 'Initialize-AADInt'
- 'Install-AADInt'
- 'Invoke-AADInt'
- 'Join-AADInt'
@@ -39,11 +42,15 @@ detection:
- 'Read-AADInt'
- 'Register-AADInt'
- 'Remove-AADInt'
- 'Reset-AADInt'
- 'Resolve-AADInt'
- 'Restore-AADInt'
- 'Save-AADInt'
- 'Search-AADInt'
- 'Send-AADInt'
- 'Set-AADInt'
- 'Start-AADInt'
- 'Unprotect-AADInt'
- 'Update-AADInt'
condition: selection
falsepositives: