Potential Active Directory Enumeration Using AD Module - ProcCreation

Rule Info

Name
Potential Active Directory Enumeration Using AD Module - ProcCreation
Author
frack113
Description
Detects usage of the "Import-Module" cmdlet to load the "Microsoft.ActiveDirectory.Management.dl" DLL. Which is often used by attackers to perform AD enumeration.
Reference
https://github.com/samratashok/ADModule
Date
2023-01-22 00:00:00
Modified
None
Id
70bc5215-526f-4477-963c-a47a5c9ebd12
Tags
attack.reconnaissance attack.discovery attack.impact
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=70bc5215-526f-4477-963c-a47a5c9ebd12

Rule History

Author
Title
Date
Commit
Nasreddine Bencherchali
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12
598d29f81
github-actions[bot]
Merge PR #4611 from @nasbench - Promote Older Rules Status From `experimental` To `test`
2023-12-01
ae960f088
Nasreddine Bencherchali
Merge PR #4482 From @nasbench - Add New Automation Workflows
2023-10-18
95793d73b
Nasreddine Bencherchali
feat: update pwsh ad module rules
2023-01-22
c9b230de6
frack113
Add Microsoft.ActiveDirectory.Management.dll
2023-01-22
40592f463
frack113
Add import_module dll
2023-01-22
75c01db53
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022