DSInternals Suspicious PowerShell Cmdlets - ScriptBlock
Last updated on:
In this page
Rule name | Rule type | Log sources | MITRE ATT&CK tags | Severity |
DSInternals Suspicious PowerShell Cmdlets - ScriptBlock | Standard | Windows | Execution: Command and Scripting Interpreter - PowerShell (T1059.001) | Trouble |
About the rule
Rule Type
Standard
Rule Description
DSInternals is a PowerShell module that provides access to internal features of native AD and Entra ID. Some of its capabilities include ntds.dit file manipulation, password auditing, and password hash calculation. Attackers, by exploiting the DSInternals module, may tamper with these internal features, causing disruptions in the AD environment. This rule detects the execution of suspicious PowerShell cmdlets associated with DSInternals.
Severity
Trouble
Rule journey
Attack chain scenario
Initial Access → Execution → PowerShell execution involving DSInternals module → Discovery → Impact
Impact
- System compromise
- Malware execution
- Data manipulation
Rule Requirement
Prerequisites
Logon to Group Policy Management Console with administrative privileges and enable Module Logging for Windows PowerShell in the Group Policy Management Editor. Ensure to enter * in the Module Names window to record all modules. Similarly enable PowerShell Script Block Logging for Windows PowerShell. Finally, create a new registry key "Microsoft-Windows-Powershell/Operational" in the directory "Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\".
(((( SCRIPTEXECUTED CONTAINS ""add-addbsidhistory"" ) OR ( SCRIPTEXECUTED CONTAINS ""add-adngckey"" ) OR ( SCRIPTEXECUTED CONTAINS ""add-adreplngckey"" ) OR ( SCRIPTEXECUTED CONTAINS ""convertfrom-admanagedpasswordblob"" ) OR ( SCRIPTEXECUTED CONTAINS ""convertfrom-gpprefpassword"" ) OR ( SCRIPTEXECUTED CONTAINS ""convertfrom-managedpasswordblob"" ) OR ( SCRIPTEXECUTED CONTAINS ""convertfrom-unattendxmlpassword"" ) OR ( SCRIPTEXECUTED CONTAINS ""convertfrom-unicodepassword"" ) OR ( SCRIPTEXECUTED CONTAINS ""convertto-aadhash"" ) OR ( SCRIPTEXECUTED CONTAINS ""convertto-gpprefpassword"" ) OR ( SCRIPTEXECUTED CONTAINS ""convertto-kerberoskey"" ) OR ( SCRIPTEXECUTED CONTAINS ""convertto-lmhash"" ) OR ( SCRIPTEXECUTED CONTAINS ""convertto-msopasswordhash"" ) OR ( SCRIPTEXECUTED CONTAINS ""convertto-nthash"" ) OR ( SCRIPTEXECUTED CONTAINS ""convertto-orgidhash"" ) OR ( SCRIPTEXECUTED CONTAINS ""convertto-unicodepassword"" ) OR ( SCRIPTEXECUTED CONTAINS ""disable-addbaccount"" ) OR ( SCRIPTEXECUTED CONTAINS ""enable-addbaccount"" ) OR ( SCRIPTEXECUTED CONTAINS ""get-addbaccount"" ) OR ( SCRIPTEXECUTED CONTAINS ""get-addbbackupkey"" ) OR ( SCRIPTEXECUTED CONTAINS ""get-addbdomaincontroller"" ) OR ( SCRIPTEXECUTED CONTAINS ""get-addbgroupmanagedserviceaccount"" ) OR ( SCRIPTEXECUTED CONTAINS ""get-addbkdsrootkey"" ) OR ( SCRIPTEXECUTED CONTAINS ""get-addbschemaattribute"" ) OR ( SCRIPTEXECUTED CONTAINS ""get-addbserviceaccount"" ) OR ( SCRIPTEXECUTED CONTAINS ""get-addefaultpasswordpolicy"" ) OR ( SCRIPTEXECUTED CONTAINS ""get-adkeycredential"" ) OR ( SCRIPTEXECUTED CONTAINS ""get-adpasswordpolicy"" ) OR ( SCRIPTEXECUTED CONTAINS ""get-adreplaccount"" ) OR ( SCRIPTEXECUTED CONTAINS ""get-adreplbackupkey"" ) OR ( SCRIPTEXECUTED CONTAINS ""get-adreplicationaccount"" ) OR ( SCRIPTEXECUTED CONTAINS ""get-adsiaccount"" ) OR ( SCRIPTEXECUTED CONTAINS ""get-azureaduserex"" ) OR ( SCRIPTEXECUTED CONTAINS ""get-bootkey"" ) OR ( SCRIPTEXECUTED CONTAINS ""get-keycredential"" ) OR ( SCRIPTEXECUTED CONTAINS ""get-lsabackupkey"" ) OR ( SCRIPTEXECUTED CONTAINS ""get-lsapolicy"" ) OR ( SCRIPTEXECUTED CONTAINS ""get-sampasswordpolicy"" ) OR ( SCRIPTEXECUTED CONTAINS ""get-syskey"" ) OR ( SCRIPTEXECUTED CONTAINS ""get-systemkey"" ) OR ( SCRIPTEXECUTED CONTAINS ""new-addbrestorefrommediascript"" ) OR ( SCRIPTEXECUTED CONTAINS ""new-adkeycredential"" ) OR ( SCRIPTEXECUTED CONTAINS ""new-adngckey"" ) OR ( SCRIPTEXECUTED CONTAINS ""new-nthashset"" ) OR ( SCRIPTEXECUTED CONTAINS ""remove-addbobject"" ) OR ( SCRIPTEXECUTED CONTAINS ""save-dpapiblob"" ) OR ( SCRIPTEXECUTED CONTAINS ""set-adaccountpasswordhash"" ) OR ( SCRIPTEXECUTED CONTAINS ""set-addbaccountpassword"" ) OR ( SCRIPTEXECUTED CONTAINS ""set-addbbootkey"" ) OR ( SCRIPTEXECUTED CONTAINS ""set-addbdomaincontroller"" ) OR ( SCRIPTEXECUTED CONTAINS ""set-addbprimarygroup"" ) OR ( SCRIPTEXECUTED CONTAINS ""set-addbsyskey"" ) OR ( SCRIPTEXECUTED CONTAINS ""set-azureaduserex"" ) OR ( SCRIPTEXECUTED CONTAINS ""set-lsapolicy"" ) OR ( SCRIPTEXECUTED CONTAINS ""set-samaccountpasswordhash"" ) OR ( SCRIPTEXECUTED CONTAINS ""set-winuserpasswordhash"" ) OR ( SCRIPTEXECUTED CONTAINS ""test-addbpasswordquality"" ) OR ( SCRIPTEXECUTED CONTAINS ""test-adpasswordquality"" ) OR ( SCRIPTEXECUTED CONTAINS ""test-adreplpasswordquality"" ) OR ( SCRIPTEXECUTED CONTAINS ""test-passwordquality"" ) OR ( SCRIPTEXECUTED CONTAINS ""unlock-addbaccount"" ) OR ( SCRIPTEXECUTED CONTAINS ""write-adngckey"" ) OR ( SCRIPTEXECUTED CONTAINS ""write-adreplngckey"" ) )))
This rule is triggered when the executed script contains the following suspicious elements:
- get-addbserviceaccount: A command used to retrieve information about AD database service accounts.
- get-addefaultpasswordpolicy: A command used to query the default password policy settings in AD.
- get-adkeycredential: A command used to retrieve authentication key credentials from AD.
- get-adpasswordpolicy: A command used to query the current password policy settings in AD.
Criteria
Action1: actionname = "PowerShell Script Block Logged" AND SCRIPTEXECUTED contains "Add-ADDBSidHistory,Add-ADNgcKey,Add-ADReplNgcKey,ConvertFrom-ADManagedPasswordBlob,ConvertFrom-GPPrefPassword,ConvertFrom-ManagedPasswordBlob,ConvertFrom-UnattendXmlPassword,ConvertFrom-UnicodePassword,ConvertTo-AADHash,ConvertTo-GPPrefPassword,ConvertTo-KerberosKey,ConvertTo-LMHash,ConvertTo-MsoPasswordHash,ConvertTo-NTHash,ConvertTo-OrgIdHash,ConvertTo-UnicodePassword,Disable-ADDBAccount,Enable-ADDBAccount,Get-ADDBAccount,Get-ADDBBackupKey,Get-ADDBDomainController" OR SCRIPTEXECUTED contains "Get-ADDBGroupManagedServiceAccount,Get-ADDBKdsRootKey,Get-ADDBSchemaAttribute,Get-ADDBServiceAccount,Get-ADDefaultPasswordPolicy,Get-ADKeyCredential,Get-ADPasswordPolicy,Get-ADReplAccount,Get-ADReplBackupKey,Get-ADReplicationAccount,Get-ADSIAccount,Get-AzureADUserEx,Get-BootKey,Get-KeyCredential,Get-LsaBackupKey,Get-LsaPolicy,Get-SamPasswordPolicy,Get-SysKey,Get-SystemKey,New-ADDBRestoreFromMediaScript,New-ADKeyCredential" OR SCRIPTEXECUTED contains "New-ADNgcKey,New-NTHashSet,Remove-ADDBObject,Save-DPAPIBlob,Set-ADAccountPasswordHash,Set-ADDBAccountPassword,Set-ADDBBootKey,Set-ADDBDomainController,Set-ADDBPrimaryGroup,Set-ADDBSysKey,Set-AzureADUserEx,Set-LsaPolicy,Set-SamAccountPasswordHash,Set-WinUserPasswordHash,Test-ADDBPasswordQuality,Test-ADPasswordQuality,Test-ADReplPasswordQuality,Test-PasswordQuality,Unlock-ADDBAccount,Write-ADNgcKey,Write-ADReplNgcKey" select Action1.HOSTNAME,Action1.MESSAGE,Action1.SCRIPTEXECUTED
Detection
Execution Mode
realtime
Log Sources
Active Directory
MITRE ATT&CK
Execution: Command and Scripting Interpreter - PowerShell (T1059.001)
Security Standards
Enabling this rule will help you meet the security standard's requirement listed below:
DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events.
When this rule is triggered, you're notified of PowerShell cmdlet executions that involve the DSInternals module. This enables you to monitor runtime environments like PowerShell and identify suspicious executions that indicate potential attempts to tamper the internal functionalities of native AD or Entra ID.
Author
Nasreddine Bencherchali (Nextron Systems)
Future actions
Known False Positives
This rule might be triggered when DSInternals module cmdlets are executed by admins to access internal AD features.
Next Steps
When this rule is triggered, the following measures can be implemented:
- Identification: Identify if the flagged event is a new incident or part of an existing incident.
- Analysis: Analyze the impact and extent of the incident to comprehend the severity of the attack using the Incident Workbench.
- Response: Respond promptly by initiating an automated workflow to interrupt the network connections and cease the malicious process.
- Audit PowerShell executions: Continuously monitor PowerShell activities, block command executions that involve the DSInternals module, and restrict script execution privileges to administrators only.
Mitigation
Mitigation ID | Mitigation Name | Mitigation description |
M1049 | Antivirus or antimalware scanning can be implemented to isolate suspicious files. | |
M1045 | Configure policies that allow PowerShell to execute only signed scripts. | |
M1042 | Restrict or disable PowerShell on systems where it is not required. | |
M1038 | Restrict the execution of scripts that contain sensitive language elements i.e., malicious codes using the PowerShell Constrained Language mode. | |
M1026 | Restrict privileges to execute PowerShell scripts to administrators and enforce limitations on the commands that can be executed via remote PowerShell sessions. |
