Sigma Rules
2,824 rules found
HackTool - Koh Default Named Pipe
Detects creation of default named pipes used by the Koh tool
Alternate PowerShell Hosts Pipe
Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe
New PowerShell Instance Created
Detects the execution of PowerShell via the creation of a named pipe starting with PSHost
PUA - CSExec Default Named Pipe
Detects default CSExec pipe creation
PUA - PAExec Default Named Pipe
Detects PAExec default named pipe
PUA - RemCom Default Named Pipe
Detects default RemCom pipe creation
WMI Event Consumer Created Named Pipe
Detects the WMI Event Consumer service scrcons.exe creating a named pipe
Malicious Named Pipe Created
Detects the creation of a named pipe seen used by known APTs or malware.
PsExec Tool Execution From Suspicious Locations - PipeName
Detects PsExec default pipe creation where the image executed is located in a suspicious location. Which could indicate that the tool is being used in an attack
Nslookup PowerShell Download Cradle
Detects a powershell download cradle using nslookup. This cradle uses nslookup to extract payloads from DNS records.
Delete Volume Shadow Copies Via WMI With PowerShell
Shadow Copies deletion using operating systems utilities via PowerShell
PowerShell Downgrade Attack - PowerShell
Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0
PowerShell Called from an Executable Version Mismatch
Detects PowerShell called from an executable by the version mismatch method
Netcat The Powershell Version
Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network
Remote PowerShell Session (PS Classic)
Detects remote PowerShell sessions
Potential RemoteFXvGPUDisablement.EXE Abuse
Detects PowerShell module creation where the module Contents are set to "function Get-VMRemoteFXPhysicalVideoAdapter". This could be a sign of potential abuse of the "RemoteFXvGPUDisablement.exe" binary which is known to be vulnerable to module load-order hijacking.
Renamed Powershell Under Powershell Channel
Detects a renamed Powershell execution, which is a common technique used to circumvent security controls and bypass detection logic that's dependent on process names and process paths.
Suspicious PowerShell Download
Detects suspicious PowerShell download command
Use Get-NetTCPConnection
Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.
Zip A Folder With PowerShell For Staging In Temp - PowerShell
Detects PowerShell scripts that make use of the "Compress-Archive" Cmdlet in order to compress folders and files where the output is stored in a potentially suspicious location that is used often by malware for exfiltration. An adversary might compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.
Tamper Windows Defender - PSClassic
Attempting to disable scheduled scanning and other parts of Windows Defender ATP or set default actions to allow.
Suspicious Non PowerShell WSMAN COM Provider
Detects suspicious use of the WSMAN provider without PowerShell.exe as the host application.
Potential Active Directory Enumeration Using AD Module - PsModule
Detects usage of the "Import-Module" cmdlet to load the "Microsoft.ActiveDirectory.Management.dl" DLL. Which is often used by attackers to perform AD enumeration.
Alternate PowerShell Hosts - PowerShell Module
Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe
Bad Opsec Powershell Code Artifacts
focuses on trivial artifacts observed in variants of prevalent offensive ps1 payloads, including Cobalt Strike Beacon, PoshC2, Powerview, Letmein, Empire, Powersploit, and other attack payloads that often undergo minimal changes by attackers due to bad opsec.
Clear PowerShell History - PowerShell Module
Detects keywords that could indicate clearing PowerShell history
PowerShell Decompress Commands
A General detection for specific decompress commands in PowerShell logs. This could be an adversary decompressing files.
Malicious PowerShell Scripts - PoshModule
Detects the execution of known offensive powershell scripts used for exploitation or reconnaissance
Suspicious Get-ADDBAccount Usage
Detects suspicious invocation of the Get-ADDBAccount script that reads from a ntds.dit file and may be used to get access to credentials without using any credential dumpers
PowerShell Get Clipboard
A General detection for the Get-Clipboard commands in PowerShell logs. This could be an adversary capturing clipboard contents.
HackTool - Evil-WinRm Execution - PowerShell Module
Detects the execution of Evil-WinRM via PowerShell Module logs by leveraging the hardcoded strings inside the utility.
Invoke-Obfuscation CLIP+ Launcher - PowerShell Module
Detects Obfuscated use of Clip.exe to execute PowerShell
Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell Module
Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block cited in the reference section below
Invoke-Obfuscation STDIN+ Launcher - PowerShell Module
Detects Obfuscated use of stdin to execute PowerShell
Invoke-Obfuscation VAR+ Launcher - PowerShell Module
Detects Obfuscated use of Environment Variables to execute PowerShell
Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell Module
Detects Obfuscated Powershell via COMPRESS OBFUSCATION
Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell Module
Detects Obfuscated Powershell via RUNDLL LAUNCHER
Invoke-Obfuscation Via Stdin - PowerShell Module
Detects Obfuscated Powershell via Stdin in Scripts
Invoke-Obfuscation Via Use Clip - PowerShell Module
Detects Obfuscated Powershell via use Clip.exe in Scripts
Invoke-Obfuscation Via Use MSHTA - PowerShell Module
Detects Obfuscated Powershell via use MSHTA in Scripts
Invoke-Obfuscation Via Use Rundll32 - PowerShell Module
Detects Obfuscated Powershell via use Rundll32 in Scripts
Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell Module
Detects Obfuscated Powershell via VAR++ LAUNCHER
Malicious PowerShell Commandlets - PoshModule
Detects Commandlet names from well-known PowerShell exploitation frameworks
Remote PowerShell Session (PS Module)
Detects remote PowerShell sessions
Potential RemoteFXvGPUDisablement.EXE Abuse - PowerShell Module
Detects PowerShell module creation where the module Contents are set to "function Get-VMRemoteFXPhysicalVideoAdapter". This could be a sign of potential abuse of the "RemoteFXvGPUDisablement.exe" binary which is known to be vulnerable to module load-order hijacking.
AD Groups Or Users Enumeration Using PowerShell - PoshModule
Adversaries may attempt to find domain-level groups and permission settings. The knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as domain administrators.
Suspicious PowerShell Download - PoshModule
Detects suspicious PowerShell download command
Use Get-NetTCPConnection - PowerShell Module
Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.