Sigma Rules
1,585 rules found for "defense-evasion"
Invoke-Obfuscation Via Use Rundll32 - PowerShell Module
Detects Obfuscated Powershell via use Rundll32 in Scripts
Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell Module
Detects Obfuscated Powershell via VAR++ LAUNCHER
Potential RemoteFXvGPUDisablement.EXE Abuse - PowerShell Module
Detects PowerShell module creation where the module Contents are set to "function Get-VMRemoteFXPhysicalVideoAdapter". This could be a sign of potential abuse of the "RemoteFXvGPUDisablement.exe" binary which is known to be vulnerable to module load-order hijacking.
Suspicious Computer Machine Password by PowerShell
The Reset-ComputerMachinePassword cmdlet changes the computer account password that the computers use to authenticate to the domain controllers in the domain. You can use it to reset the password of the local computer.
SyncAppvPublishingServer Bypass Powershell Restriction - PS Module
Detects SyncAppvPublishingServer process execution which usually utilized by adversaries to bypass PowerShell execution restrictions.
AMSI Bypass Pattern Assembly GetType
Detects code fragments found in small and obfuscated AMSI bypass PowerShell scripts
Potential AMSI Bypass Script Using NULL Bits
Detects usage of special strings/null bits in order to potentially bypass AMSI functionalities
Clear PowerShell History - PowerShell
Detects keywords that could indicate clearing PowerShell history
Clearing Windows Console History
Identifies when a user attempts to clear console history. An adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion.
Powershell Install a DLL in System Directory
Uses PowerShell to install/copy a file into a system directory such as "System32" or "SysWOW64"
Registry-Free Process Scope COR_PROFILER
Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR. The COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR). These profiliers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR. (Citation: Microsoft Profiling Mar 2017) (Citation: Microsoft COR_PROFILER Feb 2013)
DMSA Service Account Created in Specific OUs - PowerShell
Detects the creation of a dMSA service account using the New-ADServiceAccount cmdlet in certain OUs. The fact that the cmdlet is used to create a dMSASvc account in a specific OU is highly suspicious. It is a pattern trying to exploit the BadSuccessor privilege escalation vulnerability in Windows Server 2025. On top of that, if the user that is creating the dMSASvc account is not a legitimate administrator or does not have the necessary permissions, it is a strong signal of an attempted or successful abuse of the BaDSuccessor vulnerability for privilege escalation within the Windows Server 2025 Active Directory environment.
Powershell Detect Virtualization Environment
Adversaries may employ various system checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox
Disable Powershell Command History
Detects scripts or commands that disabled the Powershell command history by removing psreadline module
Disable-WindowsOptionalFeature Command PowerShell
Detect built in PowerShell cmdlet Disable-WindowsOptionalFeature, Deployment Image Servicing and Management tool. Similar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images
Potential In-Memory Execution Using Reflection.Assembly
Detects usage of "Reflection.Assembly" load functions to dynamically load assemblies in memory
Potential Suspicious Windows Feature Enabled
Detects usage of the built-in PowerShell cmdlet "Enable-WindowsOptionalFeature" used as a Deployment Image Servicing and Management tool. Similar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images
Disable of ETW Trace - Powershell
Detects usage of powershell cmdlets to disable or remove ETW trace sessions
Service Registry Permissions Weakness Check
Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for registry to redirect from the originally specified executable to one that they control, in order to launch their own code at Service start. Windows stores local service configuration information in the Registry under HKLM\SYSTEM\CurrentControlSet\Services
HackTool - Rubeus Execution - ScriptBlock
Detects the execution of the hacktool Rubeus using specific command line flags
HackTool - WinPwn Execution - ScriptBlock
Detects scriptblock text keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation.
Unsigned AppX Installation Attempt Using Add-AppxPackage - PsScript
Detects usage of the "Add-AppxPackage" or it's alias "Add-AppPackage" to install unsigned AppX packages
Invoke-Obfuscation CLIP+ Launcher - PowerShell
Detects Obfuscated use of Clip.exe to execute PowerShell
Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell
Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block \u2014
Invoke-Obfuscation STDIN+ Launcher - Powershell
Detects Obfuscated use of stdin to execute PowerShell
Invoke-Obfuscation VAR+ Launcher - PowerShell
Detects Obfuscated use of Environment Variables to execute PowerShell
Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell
Detects Obfuscated Powershell via COMPRESS OBFUSCATION
Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell
Detects Obfuscated Powershell via RUNDLL LAUNCHER
Invoke-Obfuscation Via Stdin - Powershell
Detects Obfuscated Powershell via Stdin in Scripts
Invoke-Obfuscation Via Use Clip - Powershell
Detects Obfuscated Powershell via use Clip.exe in Scripts
Invoke-Obfuscation Via Use MSHTA - PowerShell
Detects Obfuscated Powershell via use MSHTA in Scripts
Invoke-Obfuscation Via Use Rundll32 - PowerShell
Detects Obfuscated Powershell via use Rundll32 in Scripts
Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell
Detects Obfuscated Powershell via VAR++ LAUNCHER
DMSA Link Attributes Modified
Detects modification of dMSA link attributes (msDS-ManagedAccountPrecededByLink) via PowerShell scripts. This command line pattern could be an indicator an attempt to exploit the BadSuccessor privilege escalation vulnerability in Windows Server 2025.
Modify Group Policy Settings - ScriptBlockLogging
Detect malicious GPO modifications can be used to implement many other malicious behaviors.
NTFS Alternate Data Stream
Detects writing data into NTFS alternate data streams from powershell. Needs Script Block Logging.
Potential RemoteFXvGPUDisablement.EXE Abuse - PowerShell ScriptBlock
Detects PowerShell module creation where the module Contents are set to "function Get-VMRemoteFXPhysicalVideoAdapter". This could be a sign of potential abuse of the "RemoteFXvGPUDisablement.exe" binary which is known to be vulnerable to module load-order hijacking.
Root Certificate Installed - PowerShell
Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.
Suspicious Invoke-Item From Mount-DiskImage
Adversaries may abuse container files such as disk image (.iso, .vhd) file formats to deliver malicious payloads that may not be tagged with MOTW.
PowerShell Script Change Permission Via Set-Acl - PsScript
Detects PowerShell scripts set ACL to of a file or a folder
PowerShell Set-Acl On Windows Folder - PsScript
Detects PowerShell scripts to set the ACL to a file in the Windows folder
PowerShell ShellCode
Detects Base64 encoded Shellcode
Powershell Store File In Alternate Data Stream
Storing files in Alternate Data Stream (ADS) similar to Astaroth malware.
Potential Persistence Via Security Descriptors - ScriptBlock
Detects usage of certain functions and keywords that are used to manipulate security descriptors in order to potentially set a backdoor. As seen used in the DAMP project.
Potential PowerShell Obfuscation Using Character Join
Detects specific techniques often seen used inside of PowerShell scripts to obfscuate Alias creation
Suspicious Eventlog Clear
Detects usage of known powershell cmdlets such as "Clear-EventLog" to clear the Windows event logs
Troubleshooting Pack Cmdlet Execution
Detects execution of "TroubleshootingPack" cmdlets to leverage CVE-2022-30190 or action similar to "msdt" lolbin (as described in LOLBAS)
Suspicious Hyper-V Cmdlets
Adversaries may carry out malicious operations using a virtual instance to avoid detection