Sigma Rules
2,824 rules found
Powershell Sensitive File Discovery
Detect adversaries enumerate sensitive files
PowerShell Script Change Permission Via Set-Acl - PsScript
Detects PowerShell scripts set ACL to of a file or a folder
PowerShell Set-Acl On Windows Folder - PsScript
Detects PowerShell scripts to set the ACL to a file in the Windows folder
Change PowerShell Policies to an Insecure Level - PowerShell
Detects changing the PowerShell script execution policy to a potentially insecure level using the "Set-ExecutionPolicy" cmdlet.
PowerShell ShellCode
Detects Base64 encoded Shellcode
Malicious ShellIntel PowerShell Commandlets
Detects Commandlet names from ShellIntel exploitation scripts.
Detected Windows Software Discovery - PowerShell
Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable.
Powershell Store File In Alternate Data Stream
Storing files in Alternate Data Stream (ADS) similar to Astaroth malware.
Potential Persistence Via Security Descriptors - ScriptBlock
Detects usage of certain functions and keywords that are used to manipulate security descriptors in order to potentially set a backdoor. As seen used in the DAMP project.
AD Groups Or Users Enumeration Using PowerShell - ScriptBlock
Adversaries may attempt to find domain-level groups and permission settings. The knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as domain administrators.
Potential PowerShell Obfuscation Using Character Join
Detects specific techniques often seen used inside of PowerShell scripts to obfscuate Alias creation
Suspicious Eventlog Clear
Detects usage of known powershell cmdlets such as "Clear-EventLog" to clear the Windows event logs
Powershell Directory Enumeration
Detects technique used by MAZE ransomware to enumerate directories using Powershell
Suspicious PowerShell Download - Powershell Script
Detects suspicious PowerShell download command
Powershell Execute Batch Script
Adversaries may abuse the Windows command shell for execution. The Windows command shell ([cmd](https://attack.mitre.org/software/S0106)) is the primary command prompt on Windows systems. The Windows command prompt can be used to control almost any aspect of a system, with various permission levels required for different subsets of commands. Batch files (ex: .bat or .cmd) also provide the shell with a list of sequential commands to run, as well as normal scripting operations such as conditionals and loops. Common uses of batch files include long or repetitive tasks, or the need to run the same set of commands on multiple system
Extracting Information with PowerShell
Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.
Troubleshooting Pack Cmdlet Execution
Detects execution of "TroubleshootingPack" cmdlets to leverage CVE-2022-30190 or action similar to "msdt" lolbin (as described in LOLBAS)
Password Policy Discovery With Get-AdDefaultDomainPasswordPolicy
Detetcts PowerShell activity in which Get-Addefaultdomainpasswordpolicy is used to get the default password policy for an Active Directory domain.
Suspicious PowerShell Get Current User
Detects the use of PowerShell to identify the current logged user.
Suspicious GPO Discovery With Get-GPO
Detect use of Get-GPO to get one GPO or all the GPOs in a domain.
Suspicious Process Discovery With Get-Process
Get the processes that are running on the local computer.
PowerShell Get-Process LSASS in ScriptBlock
Detects a Get-Process command on lsass process, which is in almost all cases a sign of malicious activity
Suspicious GetTypeFromCLSID ShellExecute
Detects suspicious Powershell code that execute COM Objects
Suspicious Hyper-V Cmdlets
Adversaries may carry out malicious operations using a virtual instance to avoid detection
Suspicious PowerShell Invocations - Generic
Detects suspicious PowerShell invocation command parameters
Suspicious PowerShell Invocations - Specific
Detects suspicious PowerShell invocation command parameters
Change User Agents with WebRequest
Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Suspicious IO.FileStream
Open a handle on the drive volume via the \\.\ DOS device path specifier and perform direct access read of the first few bytes of the volume.
Potential Keylogger Activity
Detects PowerShell scripts that contains reference to keystroke capturing functions
Potential Suspicious PowerShell Keywords
Detects potentially suspicious keywords that could indicate the use of a PowerShell exploitation framework
Suspicious Get Local Groups Information - PowerShell
Detects the use of PowerShell modules and cmdlets to gather local group information. Adversaries may use local system permission groups to determine which groups exist and which users belong to a particular group such as the local administrators group.
Powershell Local Email Collection
Adversaries may target user email on local systems to collect sensitive information. Files containing email data can be acquired from a users local system, such as Outlook storage or cache files.
Suspicious Mount-DiskImage
Adversaries may abuse container files such as disk image (.iso, .vhd) file formats to deliver malicious payloads that may not be tagged with MOTW.
PowerShell Deleted Mounted Share
Detects when when a mounted share is removed. Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation
Suspicious Connection to Remote Account
Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to systematically guess the password using a repetitive or iterative mechanism
Suspicious New-PSDrive to Admin Share
Adversaries may use to interact with a remote network share using Server Message Block (SMB). The adversary may then perform actions as the logged-on user.
Suspicious TCP Tunnel Via PowerShell Script
Detects powershell scripts that creates sockets/listeners which could be indicative of tunneling activity
Recon Information for Export with PowerShell
Once established within a system or network, an adversary may use automated techniques for collecting internal data
Remove Account From Domain Admin Group
Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts.
Suspicious Service DACL Modification Via Set-Service Cmdlet - PS
Detects usage of the "Set-Service" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as "sc.exe", "Get-Service"...etc. (Works only in powershell 7)
Potential PowerShell Obfuscation Using Alias Cmdlets
Detects Set-Alias or New-Alias cmdlet usage. Which can be use as a mean to obfuscate PowerShell scripts
Suspicious Get Information for SMB Share
Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.
Suspicious SSL Connection
Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol.
Suspicious Start-Process PassThru
Powershell use PassThru option to start in background
Suspicious Unblock-File
Remove the Zone.Identifier alternate data stream which identifies the file as downloaded from the internet.
Replace Desktop Wallpaper by Powershell
An adversary may deface systems internal to an organization in an attempt to intimidate or mislead users. This may take the form of modifications to internal websites, or directly to user systems with the replacement of the desktop wallpaper
Powershell Suspicious Win32_PnPEntity
Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.
Deletion of Volume Shadow Copies via WMI with PowerShell - PS Script
Detects deletion of Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil