Sigma Rules
1,701 rules found
Clearing Windows Console History
Identifies when a user attempts to clear console history. An adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion.
Powershell Install a DLL in System Directory
Uses PowerShell to install/copy a file into a system directory such as "System32" or "SysWOW64"
Create Volume Shadow Copy with Powershell
Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information
Disable Powershell Command History
Detects scripts or commands that disabled the Powershell command history by removing psreadline module
Disable-WindowsOptionalFeature Command PowerShell
Detect built in PowerShell cmdlet Disable-WindowsOptionalFeature, Deployment Image Servicing and Management tool. Similar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images
DSInternals Suspicious PowerShell Cmdlets - ScriptBlock
Detects execution and usage of the DSInternals PowerShell module. Which can be used to perform what might be considered as suspicious activity such as dumping DPAPI backup keys or manipulating NTDS.DIT files. The DSInternals PowerShell Module exposes several internal features of Active Directory and Azure Active Directory. These include FIDO2 and NGC key auditing, offline ntds.dit file manipulation, password auditing, DC recovery from IFM backups and password hash calculation.
Disable of ETW Trace - Powershell
Detects usage of powershell cmdlets to disable or remove ETW trace sessions
HackTool - Rubeus Execution - ScriptBlock
Detects the execution of the hacktool Rubeus using specific command line flags
HackTool - WinPwn Execution - ScriptBlock
Detects scriptblock text keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation.
Powershell DNSExfiltration
DNSExfiltrator allows for transferring (exfiltrate) a file over a DNS request covert channel
Invoke-Obfuscation CLIP+ Launcher - PowerShell
Detects Obfuscated use of Clip.exe to execute PowerShell
Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell
Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block \u2014
Invoke-Obfuscation STDIN+ Launcher - Powershell
Detects Obfuscated use of stdin to execute PowerShell
Invoke-Obfuscation VAR+ Launcher - PowerShell
Detects Obfuscated use of Environment Variables to execute PowerShell
Invoke-Obfuscation Via Stdin - Powershell
Detects Obfuscated Powershell via Stdin in Scripts
Invoke-Obfuscation Via Use Clip - Powershell
Detects Obfuscated Powershell via use Clip.exe in Scripts
Invoke-Obfuscation Via Use MSHTA - PowerShell
Detects Obfuscated Powershell via use MSHTA in Scripts
Invoke-Obfuscation Via Use Rundll32 - PowerShell
Detects Obfuscated Powershell via use Rundll32 in Scripts
Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell
Detects Obfuscated Powershell via VAR++ LAUNCHER
Malicious PowerShell Commandlets - ScriptBlock
Detects Commandlet names from well-known PowerShell exploitation frameworks
Live Memory Dump Using Powershell
Detects usage of a PowerShell command to dump the live memory of a Windows machine
Malicious Nishang PowerShell Commandlets
Detects Commandlet names and arguments from the Nishang exploitation framework
NTFS Alternate Data Stream
Detects writing data into NTFS alternate data streams from powershell. Needs Script Block Logging.
Code Executed Via Office Add-in XLL File
Adversaries may abuse Microsoft Office add-ins to obtain persistence on a compromised system. Office add-ins can be used to add functionality to Office programs
Potential Invoke-Mimikatz PowerShell Script
Detects Invoke-Mimikatz PowerShell script and alike. Mimikatz is a credential dumper capable of obtaining plaintext Windows account logins and passwords.
PowerShell Web Access Installation - PsScript
Detects the installation and configuration of PowerShell Web Access, which could be used for remote access and potential abuse
PowerView PowerShell Cmdlets - ScriptBlock
Detects Cmdlet names from PowerView of the PowerSploit exploitation framework.
PowerShell Credential Prompt
Detects PowerShell calling a credential prompt
PSAsyncShell - Asynchronous TCP Reverse Shell
Detects the use of PSAsyncShell an Asynchronous TCP Reverse Shell written in powershell
PowerShell PSAttack
Detects the use of PSAttack PowerShell hack tool
Potential RemoteFXvGPUDisablement.EXE Abuse - PowerShell ScriptBlock
Detects PowerShell module creation where the module Contents are set to "function Get-VMRemoteFXPhysicalVideoAdapter". This could be a sign of potential abuse of the "RemoteFXvGPUDisablement.exe" binary which is known to be vulnerable to module load-order hijacking.
Suspicious Kerberos Ticket Request via PowerShell Script - ScriptBlock
Detects PowerShell scripts that utilize native PowerShell Identity modules to request Kerberos tickets. This behavior is typically seen during a Kerberos or silver ticket attack. A successful execution will output the SPNs for the endpoint in question.
PowerShell Set-Acl On Windows Folder - PsScript
Detects PowerShell scripts to set the ACL to a file in the Windows folder
PowerShell ShellCode
Detects Base64 encoded Shellcode
Malicious ShellIntel PowerShell Commandlets
Detects Commandlet names from ShellIntel exploitation scripts.
Potential Persistence Via Security Descriptors - ScriptBlock
Detects usage of certain functions and keywords that are used to manipulate security descriptors in order to potentially set a backdoor. As seen used in the DAMP project.
PowerShell Get-Process LSASS in ScriptBlock
Detects a Get-Process command on lsass process, which is in almost all cases a sign of malicious activity
Suspicious PowerShell Invocations - Generic
Detects suspicious PowerShell invocation command parameters
Suspicious PowerShell Invocations - Specific
Detects suspicious PowerShell invocation command parameters
Suspicious Service DACL Modification Via Set-Service Cmdlet - PS
Detects usage of the "Set-Service" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as "sc.exe", "Get-Service"...etc. (Works only in powershell 7)
Deletion of Volume Shadow Copies via WMI with PowerShell - PS Script
Detects deletion of Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil
Tamper Windows Defender Remove-MpPreference - ScriptBlockLogging
Detects attempts to remove Windows Defender configuration using the 'MpPreference' cmdlet
Tamper Windows Defender - ScriptBlockLogging
Detects PowerShell scripts attempting to disable scheduled scanning and other parts of Windows Defender ATP or set default actions to allow.
Abuse of Service Permissions to Hide Services Via Set-Service - PS
Detects usage of the "Set-Service" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as "sc.exe", "Get-Service"...etc. (Works only in powershell 7)
Veeam Backup Servers Credential Dumping Script Execution
Detects execution of a PowerShell script that contains calls to the "Veeam.Backup" class, in order to dump stored credentials.
Potential WinAPI Calls Via PowerShell Scripts
Detects use of WinAPI functions in PowerShell scripts
WMImplant Hack Tool
Detects parameters used by WMImplant
CMSTP Execution Process Access
Detects various indicators of Microsoft Connection Manager Profile Installer execution