Security Software Discovery Via Powershell Script
Detects calls to "get-process" where the output is piped to a "where-object" filter to search for security solution processes. Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Definition
Requirements: Script Block Logging must be enabled
detection:
selection_cmdlet:
ScriptBlockText|contains:
- 'get-process | \?'
- 'get-process | where'
- 'gps | \?'
- 'gps | where'
selection_field:
ScriptBlockText|contains:
- 'Company -like'
- 'Description -like'
- 'Name -like'
- 'Path -like'
- 'Product -like'
selection_keywords:
ScriptBlockText|contains:
# Note: These strings are using wildcard assuming the search is using the "-like" operator.
# You can add specific variant with the actual process names to increase coverage
- '\*avira\*'
- '\*carbonblack\*'
- '\*cylance\*'
- '\*defender\*'
- '\*kaspersky\*'
- '\*malware\*'
- '\*sentinel\*'
- '\*symantec\*'
- '\*virus\*'
condition: all of selection_*False positives might occur due to the nature of the ScriptBlock being ingested as a big blob. Initial tuning is required.
As the "selection_cmdlet" is common in scripts the matching engine might slow down the search. Change into regex or a more accurate string to avoid heavy resource consumption if experienced
Tactics
Sub-techniques