Sigma Rules
11 rules found
Nslookup PowerShell Download Cradle
Detects a powershell download cradle using nslookup. This cradle uses nslookup to extract payloads from DNS records.
Delete Volume Shadow Copies Via WMI With PowerShell
Shadow Copies deletion using operating systems utilities via PowerShell
PowerShell Downgrade Attack - PowerShell
Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0
PowerShell Called from an Executable Version Mismatch
Detects PowerShell called from an executable by the version mismatch method
Netcat The Powershell Version
Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network
Remote PowerShell Session (PS Classic)
Detects remote PowerShell sessions
Renamed Powershell Under Powershell Channel
Detects a renamed Powershell execution, which is a common technique used to circumvent security controls and bypass detection logic that's dependent on process names and process paths.
Suspicious PowerShell Download
Detects suspicious PowerShell download command
Use Get-NetTCPConnection
Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.
Uncommon PowerShell Hosts
Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe
bXOR Operator Usage In PowerShell Command Line - PowerShell Classic
Detects powershell execution with that make use of to the bxor (Bitwise XOR). Attackers might use as an alternative obfuscation method to Base64 encoded commands. Investigate the CommandLine and process tree to determine if the activity is malicious.