Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionmediumtest

Detected Windows Software Discovery - PowerShell

Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Nikita Nazarov, oscd.communityCreated Fri Oct 16Updated Fri Dec 022650dd1a-eb2a-412d-ac36-83f06c4f2282windows
Log Source
WindowsPowerShell Script
ProductWindows← raw: windows
CategoryPowerShell Script← raw: ps_script

Definition

Requirements: Script Block Logging must be enabled

Detection Logic
Detection Logic1 selector
detection:
    selection:
        ScriptBlockText|contains|all:
            # Example: Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table -Autosize
            - 'get-itemProperty'
            - '\software\'
            - 'select-object'
            - 'format-table'
    condition: selection
False Positives

Legitimate administration activities

References
1
Resolving title…
github.com
2
Resolving title…
github.com
MITRE ATT&CK
Rule Metadata
Rule ID
2650dd1a-eb2a-412d-ac36-83f06c4f2282
Status
test
Level
medium
Type
Detection
Created
Fri Oct 16
Modified
Fri Dec 02
Author
Nikita Nazarov, oscd.community
Path
rules/windows/powershell/powershell_script/posh_ps_software_discovery.yml
Raw Tags
attack.discoveryattack.t1518
View on GitHub