Sigma Rules
1,398 rules found
Run PowerShell Script from ADS
Detects PowerShell script execution from Alternate Data Stream (ADS)
Run PowerShell Script from Redirected Input Stream
Detects PowerShell script execution via input stream redirect
PowerShell SAM Copy
Detects suspicious PowerShell scripts accessing SAM hives
Suspicious PowerShell Invocation From Script Engines
Detects suspicious powershell invocations from interpreters or unusual programs
Suspicious Service DACL Modification Via Set-Service Cmdlet
Detects suspicious DACL modifications via the "Set-Service" cmdlet using the "SecurityDescriptorSddl" flag (Only available with PowerShell 7) that can be used to hide services or make them unstopable
PowerShell Script Change Permission Via Set-Acl
Detects PowerShell execution to set the ACL of a file or a folder
PowerShell Set-Acl On Windows Folder
Detects PowerShell scripts to set the ACL to a file in the Windows folder
Change PowerShell Policies to an Insecure Level
Detects changing the PowerShell script execution policy to a potentially insecure level using the "-ExecutionPolicy" flag.
Service StartupType Change Via PowerShell Set-Service
Detects the use of the PowerShell "Set-Service" cmdlet to change the startup type of a service to "disabled" or "manual"
Deletion of Volume Shadow Copies via WMI with PowerShell
Detects deletion of Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil
Exchange PowerShell Snap-Ins Usage
Detects adding and using Exchange PowerShell snap-ins to export mailbox data. As seen used by HAFNIUM and APT27
Stop Windows Service Via PowerShell Stop-Service
Detects the stopping of a Windows service via the PowerShell Cmdlet "Stop-Service"
Suspicious PowerShell Download and Execute Pattern
Detects suspicious PowerShell download patterns that are often used in malicious scripts, stagers or downloaders (make sure that your backend applies the strings case-insensitive)
Suspicious PowerShell Parameter Substring
Detects suspicious PowerShell invocation with a parameter substring
Suspicious PowerShell Parent Process
Detects a suspicious or uncommon parent processes of PowerShell
PowerShell Script Run in AppData
Detects a suspicious command line execution that invokes PowerShell with reference to an AppData folder
Powershell Token Obfuscation - Process Creation
Detects TOKEN OBFUSCATION technique from Invoke-Obfuscation
Suspicious Uninstall of Windows Defender Feature via PowerShell
Detects the use of PowerShell with Uninstall-WindowsFeature or Remove-WindowsFeature cmdlets to disable or remove the Windows Defender GUI feature, a common technique used by adversaries to evade defenses.
User Discovery And Export Via Get-ADUser Cmdlet
Detects usage of the Get-ADUser cmdlet to collect user information and output it to a file
Net WebClient Casing Anomalies
Detects PowerShell command line contents that include a suspicious abnormal casing in the Net.Webclient (e.g. nEt.WEbCliEnT) string as used in obfuscation techniques
Suspicious X509Enrollment - Process Creation
Detect use of X509Enrollment
Suspicious XOR Encoded PowerShell Command
Detects presence of a potentially xor encoded powershell command
Folder Compress To Potentially Suspicious Output Via Compress-Archive Cmdlet
Detects PowerShell scripts that make use of the "Compress-Archive" Cmdlet in order to compress folders and files where the output is stored in a potentially suspicious location that is used often by malware for exfiltration. An adversary might compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.
Arbitrary File Download Via PresentationHost.EXE
Detects usage of "PresentationHost" which is a utility that runs ".xbap" (Browser Applications) files to download arbitrary files
XBAP Execution From Uncommon Locations Via PresentationHost.EXE
Detects the execution of ".xbap" (Browser Applications) files via PresentationHost.EXE from an uncommon location. These files can be abused to run malicious ".xbap" files any bypass AWL
Visual Studio NodejsTools PressAnyKey Arbitrary Binary Execution
Detects child processes of Microsoft.NodejsTools.PressAnyKey.exe that can be used to execute any other binary
Abusing Print Executable
Attackers can use print.exe for remote file copy
File Download Using ProtocolHandler.exe
Detects usage of "ProtocolHandler" to download files. Downloaded files will be located in the cache folder (for example - %LOCALAPPDATA%\Microsoft\Windows\INetCache\IE)
Potential Provlaunch.EXE Binary Proxy Execution Abuse
Detects child processes of "provlaunch.exe" which might indicate potential abuse to proxy execution.
Suspicious Provlaunch.EXE Child Process
Detects suspicious child processes of "provlaunch.exe" which might indicate potential abuse to proxy execution.
Screen Capture Activity Via Psr.EXE
Detects execution of Windows Problem Steps Recorder (psr.exe), a utility used to record the user screen and clicks.
PUA - 3Proxy Execution
Detects the use of 3proxy, a tiny free proxy server
PUA - Suspicious ActiveDirectory Enumeration Via AdFind.EXE
Detects active directory enumeration activity using known AdFind CLI flags
PUA - AdFind.EXE Execution
Detects execution of Adfind.exe utility, which can be used for reconnaissance in an Active Directory environment
PUA - AdFind Suspicious Execution
Detects AdFind execution with common flags seen used during attacks
PUA - Advanced IP Scanner Execution
Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups.
PUA - Advanced Port Scanner Execution
Detects the use of Advanced Port Scanner.
PUA - AdvancedRun Execution
Detects the execution of AdvancedRun utility
PUA - AdvancedRun Suspicious Execution
Detects the execution of AdvancedRun utility in the context of the TrustedInstaller, SYSTEM, Local Service or Network Service accounts
PUA - Chisel Tunneling Tool Execution
Detects usage of the Chisel tunneling tool via the commandline arguments
PUA - CleanWipe Execution
Detects the use of CleanWipe a tool usually used to delete Symantec antivirus.
PUA - Crassus Execution
Detects Crassus, a Windows privilege escalation discovery tool, based on PE metadata characteristics.
PUA - CsExec Execution
Detects the use of the lesser known remote execution tool named CsExec a PsExec alternative
PUA - DefenderCheck Execution
Detects the use of DefenderCheck, a tool to evaluate the signatures used in Microsoft Defender. It can be used to figure out the strings / byte chains used in Microsoft Defender to detect a tool and thus used for AV evasion.
PUA - DIT Snapshot Viewer
Detects the use of Ditsnap tool, an inspection tool for Active Directory database, ntds.dit.
PUA - Fast Reverse Proxy (FRP) Execution
Detects the use of Fast Reverse Proxy. frp is a fast reverse proxy to help you expose a local server behind a NAT or firewall to the Internet.
PUA- IOX Tunneling Tool Execution
Detects the use of IOX - a tool for port forwarding and intranet proxy purposes
PUA - Kernel Driver Utility (KDU) Execution
Detects execution of the Kernel Driver Utility (KDU) tool. KDU can be used to bypass driver signature enforcement and load unsigned or malicious drivers into the Windows kernel. Potentially allowing for privilege escalation, persistence, or evasion of security controls.