Sigma Rules
1,398 rules found
PowerShell MSI Install via WindowsInstaller COM From Remote Location
Detects the execution of PowerShell commands that attempt to install MSI packages via the Windows Installer COM object (`WindowsInstaller.Installer`) hosted remotely. This could be indication of malicious software deployment or lateral movement attempts using Windows Installer functionality. And the usage of WindowsInstaller COM object rather than msiexec could be an attempt to bypass the detection.
Computer Discovery And Export Via Get-ADComputer Cmdlet
Detects usage of the Get-ADComputer cmdlet to collect computer information and output it to a file
Potential PowerShell Console History Access Attempt via History File
Detects potential access attempts to the PowerShell console history directly via history file (ConsoleHost_history.txt). This can give access to plaintext passwords used in PowerShell commands or used for general reconnaissance.
New Service Creation Using PowerShell
Detects the creation of a new service using powershell.
Gzip Archive Decode Via PowerShell
Detects attempts of decoding encoded Gzip archives via PowerShell.
PowerShell Execution With Potential Decryption Capabilities
Detects PowerShell commands that decrypt an ".LNK" "file to drop the next stage of the malware.
Powershell Defender Disable Scan Feature
Detects requests to disable Microsoft Defender features using PowerShell commands
Powershell Defender Exclusion
Detects requests to exclude files, folders or processes from Antivirus scanning using PowerShell cmdlets
Disable Windows Defender AV Security Monitoring
Detects attackers attempting to disable Windows Defender using Powershell
Windows Firewall Disabled via PowerShell
Detects attempts to disable the Windows Firewall using PowerShell
Disabled IE Security Features
Detects command lines that indicate unwanted modifications to registry keys that disable important Internet Explorer security features
Potential PowerShell Downgrade Attack
Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0
Potential COM Objects Download Cradles Usage - Process Creation
Detects usage of COM objects that can be abused to download files in PowerShell by CLSID
Obfuscated PowerShell OneLiner Execution
Detects the execution of a specific OneLiner to download and execute powershell modules in memory.
Potential DLL File Download Via PowerShell Invoke-WebRequest
Detects potential DLL files being downloaded using the PowerShell Invoke-WebRequest or Invoke-RestMethod cmdlets.
PowerShell Download and Execution Cradles
Detects PowerShell download and execution cradles.
PowerShell Download Pattern
Detects a Powershell process that contains download commands in its command line string
Potentially Suspicious File Download From File Sharing Domain Via PowerShell.EXE
Detects potentially suspicious file downloads from file sharing domains using PowerShell.exe
DSInternals Suspicious PowerShell Cmdlets
Detects execution and usage of the DSInternals PowerShell module. Which can be used to perform what might be considered as suspicious activity such as dumping DPAPI backup keys or manipulating NTDS.DIT files. The DSInternals PowerShell Module exposes several internal features of Active Directory and Azure Active Directory. These include FIDO2 and NGC key auditing, offline ntds.dit file manipulation, password auditing, DC recovery from IFM backups and password hash calculation.
Email Exifiltration Via Powershell
Detects email exfiltration via powershell cmdlets
Potential Suspicious Windows Feature Enabled - ProcCreation
Detects usage of the built-in PowerShell cmdlet "Enable-WindowsOptionalFeature" used as a Deployment Image Servicing and Management tool. Similar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images
Suspicious Execution of Powershell with Base64
Commandline to launch powershell with a base64 payload
Potential Encoded PowerShell Patterns In CommandLine
Detects specific combinations of encoding methods in PowerShell via the commandline
Powershell Inline Execution From A File
Detects inline execution of PowerShell code from a file
Certificate Exported Via PowerShell
Detects calls to cmdlets that are used to export certificates from the local certificate store. Threat actors were seen abusing this to steal private keys from compromised machines.
Base64 Encoded PowerShell Command Detected
Detects usage of the "FromBase64String" function in the commandline which is used to decode a base64 encoded string
Suspicious FromBase64String Usage On Gzip Archive - Process Creation
Detects attempts of decoding a base64 Gzip archive via PowerShell. This technique is often used as a method to load malicious content into memory afterward.
PowerShell Get-Clipboard Cmdlet Via CLI
Detects usage of the 'Get-Clipboard' cmdlet via CLI
Suspicious Reconnaissance Activity Using Get-LocalGroupMember Cmdlet
Detects suspicious reconnaissance command line activity on Windows systems using the PowerShell Get-LocalGroupMember Cmdlet
PowerShell Get-Process LSASS
Detects a "Get-Process" cmdlet and it's aliases on lsass process, which is in almost all cases a sign of malicious activity
Abuse of Service Permissions to Hide Services Via Set-Service
Detects usage of the "Set-Service" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as "sc.exe", "Get-Service"...etc. (Works only in powershell 7)
Suspicious PowerShell IEX Execution Patterns
Detects suspicious ways to run Invoke-Execution using IEX alias
Root Certificate Installed From Susp Locations
Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.
Import PowerShell Modules From Suspicious Directories - ProcCreation
Detects powershell scripts that import modules from suspicious directories
Unsigned AppX Installation Attempt Using Add-AppxPackage
Detects usage of the "Add-AppxPackage" or it's alias "Add-AppPackage" to install unsigned AppX packages
Suspicious PowerShell Invocations - Specific - ProcessCreation
Detects suspicious PowerShell invocation command parameters
Suspicious Invoke-WebRequest Execution With DirectIP
Detects calls to PowerShell with Invoke-WebRequest cmdlet using direct IP access
Suspicious Invoke-WebRequest Execution
Detects a suspicious call to Invoke-WebRequest cmdlet where the and output is located in a suspicious location
Suspicious Kerberos Ticket Request via CLI
Detects suspicious Kerberos ticket requests via command line using System.IdentityModel.Tokens.KerberosRequestorSecurityToken class. Threat actors may use command line interfaces to request Kerberos tickets for service accounts in order to perform offline password cracking attacks commonly known as Kerberoasting or other Kerberos ticket abuse techniques like silver ticket attacks.
Suspicious PowerShell Mailbox Export to Share
Detects usage of the powerShell New-MailboxExportRequest Cmdlet to exports a mailbox to a remote or local share, as used in ProxyShell exploitations
Malicious PowerShell Commandlets - ProcessCreation
Detects Commandlet names from well-known PowerShell exploitation frameworks
MSExchange Transport Agent Installation
Detects the Installation of a Exchange Transport Agent
Non Interactive PowerShell Process Spawned
Detects non-interactive PowerShell activity by looking at the "powershell" process with a non-user GUI process such as "explorer.exe" as a parent.
Potential PowerShell Obfuscation Via WCHAR/CHAR
Detects suspicious encoded character syntax often used for defense evasion
Execution of Powershell Script in Public Folder
This rule detects execution of PowerShell scripts located in the "C:\Users\Public" folder
RemoteFXvGPUDisablement Abuse Via AtomicTestHarnesses
Detects calls to the AtomicTestHarnesses "Invoke-ATHRemoteFXvGPUDisablementCommand" which is designed to abuse the "RemoteFXvGPUDisablement.exe" binary to run custom PowerShell code via module load-order hijacking.
Tamper Windows Defender Remove-MpPreference
Detects attempts to remove Windows Defender configurations using the 'MpPreference' cmdlet
Potential Powershell ReverseShell Connection
Detects usage of the "TcpClient" class. Which can be abused to establish remote connections and reverse-shells. As seen used by the Nishang "Invoke-PowerShellTcpOneLine" reverse shell and other.