
Summary
This detection rule identifies potential Active Directory enumeration activities through the use of the PowerShell `Import-Module` cmdlet to load the `Microsoft.ActiveDirectory.Management.dll` DLL. This DLL is commonly exploited by attackers to enumerate Active Directory objects, thereby gathering sensitive account and group information that can facilitate further attacks. The rule triggers if there is any PowerShell script activity indicating that this DLL is being imported, as this behavior can be indicative of reconnaissance efforts by an attacker. It specifically looks for the presence of keywords such as 'Import-Module' and 'Microsoft.ActiveDirectory.Management.dll' within the script blocks. It is critical for environments using Active Directory to monitor for these types of actions as they can directly lead to information compromise.
Categories
- Windows
- Endpoint
- Identity Management
Data Sources
- Script
- Process
Created: 2023-01-22