Phoenix
Sigma IntelligenceBeta
Rule Library

Sigma Rules

217 rules found for "attack.T1059.001"

3,707Total
3,116Detection
451Emerging
137Hunting
Detectionhightest

Invoke-Obfuscation Via Stdin - PowerShell Module

Detects Obfuscated Powershell via Stdin in Scripts

WindowsPowerShell Module
TA0005 · Defense EvasionT1027 · Obfuscated Files or InformationTA0002 · ExecutionT1059.001 · PowerShell
Nikita Nazarov+1Mon Oct 12windows
Detectionhightest

Invoke-Obfuscation Via Use Clip - PowerShell Module

Detects Obfuscated Powershell via use Clip.exe in Scripts

WindowsPowerShell Module
TA0005 · Defense EvasionT1027 · Obfuscated Files or InformationTA0002 · ExecutionT1059.001 · PowerShell
Nikita Nazarov+1Fri Oct 09windows
Detectionhightest

Invoke-Obfuscation Via Use MSHTA - PowerShell Module

Detects Obfuscated Powershell via use MSHTA in Scripts

WindowsPowerShell Module
TA0005 · Defense EvasionT1027 · Obfuscated Files or InformationTA0002 · ExecutionT1059.001 · PowerShell
Nikita Nazarov+1Thu Oct 08windows
Detectionhightest

Invoke-Obfuscation Via Use Rundll32 - PowerShell Module

Detects Obfuscated Powershell via use Rundll32 in Scripts

WindowsPowerShell Module
TA0005 · Defense EvasionT1027 · Obfuscated Files or InformationTA0002 · ExecutionT1059.001 · PowerShell
Nikita Nazarov+1Tue Oct 08windows
Detectionhightest

Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell Module

Detects Obfuscated Powershell via VAR++ LAUNCHER

WindowsPowerShell Module
TA0005 · Defense EvasionT1027 · Obfuscated Files or InformationTA0002 · ExecutionT1059.001 · PowerShell
Timur Zinniatullin+1Tue Oct 13windows
Detectionhightest

Malicious PowerShell Commandlets - PoshModule

Detects Commandlet names from well-known PowerShell exploitation frameworks

WindowsPowerShell Module
TA0002 · ExecutionTA0007 · DiscoveryT1482 · Domain Trust DiscoveryT1087 · Account Discovery+6
Nasreddine Bencherchali (Nextron Systems)Fri Jan 20windows
Detectionhightest

Remote PowerShell Session (PS Module)

Detects remote PowerShell sessions

WindowsPowerShell Module
TA0002 · ExecutionT1059.001 · PowerShellTA0008 · Lateral MovementT1021.006 · Windows Remote Management
Roberto Rodriguez (Cyb3rWard0g)+1Sat Aug 10windows
Detectionmediumtest

Suspicious PowerShell Download - PoshModule

Detects suspicious PowerShell download command

WindowsPowerShell Module
TA0002 · ExecutionT1059.001 · PowerShell
Florian Roth (Nextron Systems)Sun Mar 05windows
Detectionhightest

Suspicious PowerShell Invocations - Generic - PowerShell Module

Detects suspicious PowerShell invocation command parameters

WindowsPowerShell Module
TA0002 · ExecutionT1059.001 · PowerShell
Florian Roth (Nextron Systems)Sun Mar 12windows
Detectionhightest

Suspicious PowerShell Invocations - Specific - PowerShell Module

Detects suspicious PowerShell invocation command parameters

WindowsPowerShell Module
TA0002 · ExecutionT1059.001 · PowerShell
Florian Roth (Nextron Systems)+1Sun Mar 05windows
Detectionhightest

PowerShell ADRecon Execution

Detects execution of ADRecon.ps1 for AD reconnaissance which has been reported to be actively used by FIN7

WindowsPowerShell Script
TA0007 · DiscoveryTA0002 · ExecutionT1059.001 · PowerShell
Bhabesh RajFri Jul 16windows
Detectioncriticaltest

Silence.EDA Detection

Detects Silence EmpireDNSAgent as described in the Group-IP report

WindowsPowerShell Script
TA0002 · ExecutionT1059.001 · PowerShellTA0011 · Command and ControlT1071.004 · DNS+5
Alina Stepchenkova+2Fri Nov 01windows
Detectionmediumtest

PowerShell Create Local User

Detects creation of a local user via PowerShell

WindowsPowerShell Script
TA0002 · ExecutionT1059.001 · PowerShellTA0003 · PersistenceT1136.001 · Local Account
@roxpinteddySat Apr 11windows
Detectionhightest

DSInternals Suspicious PowerShell Cmdlets - ScriptBlock

Detects execution and usage of the DSInternals PowerShell module. Which can be used to perform what might be considered as suspicious activity such as dumping DPAPI backup keys or manipulating NTDS.DIT files. The DSInternals PowerShell Module exposes several internal features of Active Directory and Azure Active Directory. These include FIDO2 and NGC key auditing, offline ntds.dit file manipulation, password auditing, DC recovery from IFM backups and password hash calculation.

WindowsPowerShell Script
TA0002 · ExecutionT1059.001 · PowerShell
Nasreddine Bencherchali (Nextron Systems)Wed Jun 26windows
Detectionmediumtest

Import PowerShell Modules From Suspicious Directories

Detects powershell scripts that import modules from suspicious directories

WindowsPowerShell Script
TA0002 · ExecutionT1059.001 · PowerShell
Nasreddine Bencherchali (Nextron Systems)Thu Jul 07windows
Detectionhightest

Invoke-Obfuscation CLIP+ Launcher - PowerShell

Detects Obfuscated use of Clip.exe to execute PowerShell

WindowsPowerShell Script
TA0005 · Defense EvasionT1027 · Obfuscated Files or InformationTA0002 · ExecutionT1059.001 · PowerShell
Jonathan Cheong+1Tue Oct 13windows
Detectionhightest

Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell

Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block \u2014

WindowsPowerShell Script
TA0005 · Defense EvasionT1027 · Obfuscated Files or InformationTA0002 · ExecutionT1059.001 · PowerShell
Daniel Bohannon ( / )+1Fri Nov 08windows
Detectionhightest

Invoke-Obfuscation STDIN+ Launcher - Powershell

Detects Obfuscated use of stdin to execute PowerShell

WindowsPowerShell Script
TA0005 · Defense EvasionT1027 · Obfuscated Files or InformationTA0002 · ExecutionT1059.001 · PowerShell
Jonathan Cheong+1Thu Oct 15windows
Detectionhightest

Invoke-Obfuscation VAR+ Launcher - PowerShell

Detects Obfuscated use of Environment Variables to execute PowerShell

WindowsPowerShell Script
TA0005 · Defense EvasionT1027 · Obfuscated Files or InformationTA0002 · ExecutionT1059.001 · PowerShell
Jonathan Cheong+1Thu Oct 15windows
Detectionmediumtest

Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell

Detects Obfuscated Powershell via COMPRESS OBFUSCATION

WindowsPowerShell Script
TA0005 · Defense EvasionT1027 · Obfuscated Files or InformationTA0002 · ExecutionT1059.001 · PowerShell
Timur Zinniatullin+1Sun Oct 18windows
Detectionmediumtest

Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell

Detects Obfuscated Powershell via RUNDLL LAUNCHER

WindowsPowerShell Script
TA0005 · Defense EvasionT1027 · Obfuscated Files or InformationTA0002 · ExecutionT1059.001 · PowerShell
Timur Zinniatullin+1Sun Oct 18windows
Detectionhightest

Invoke-Obfuscation Via Stdin - Powershell

Detects Obfuscated Powershell via Stdin in Scripts

WindowsPowerShell Script
TA0005 · Defense EvasionT1027 · Obfuscated Files or InformationTA0002 · ExecutionT1059.001 · PowerShell
Nikita Nazarov+1Mon Oct 12windows
Detectionhightest

Invoke-Obfuscation Via Use Clip - Powershell

Detects Obfuscated Powershell via use Clip.exe in Scripts

WindowsPowerShell Script
TA0005 · Defense EvasionT1027 · Obfuscated Files or InformationTA0002 · ExecutionT1059.001 · PowerShell
Nikita Nazarov+1Fri Oct 09windows
Detectionhightest

Invoke-Obfuscation Via Use MSHTA - PowerShell

Detects Obfuscated Powershell via use MSHTA in Scripts

WindowsPowerShell Script
TA0005 · Defense EvasionT1027 · Obfuscated Files or InformationTA0002 · ExecutionT1059.001 · PowerShell
Nikita Nazarov+1Thu Oct 08windows
Detectionhightest

Invoke-Obfuscation Via Use Rundll32 - PowerShell

Detects Obfuscated Powershell via use Rundll32 in Scripts

WindowsPowerShell Script
TA0005 · Defense EvasionT1027 · Obfuscated Files or InformationTA0002 · ExecutionT1059.001 · PowerShell
Nikita Nazarov+1Tue Oct 08windows
Detectionhightest

Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell

Detects Obfuscated Powershell via VAR++ LAUNCHER

WindowsPowerShell Script
TA0005 · Defense EvasionT1027 · Obfuscated Files or InformationTA0002 · ExecutionT1059.001 · PowerShell
Timur Zinniatullin+1Tue Oct 13windows
Detectionhightest

Malicious PowerShell Commandlets - ScriptBlock

Detects Commandlet names from well-known PowerShell exploitation frameworks

WindowsPowerShell Script
TA0002 · ExecutionTA0007 · DiscoveryT1482 · Domain Trust DiscoveryT1087 · Account Discovery+6
Sean Metcalf+10Sun Mar 05windows
Detectionmediumtest

Malicious PowerShell Keywords

Detects keywords from well-known PowerShell exploitation frameworks

WindowsPowerShell Script
TA0002 · ExecutionT1059.001 · PowerShell
Sean Metcalf (source)+1Sun Mar 05windows
Detectionmediumtest

Powershell MsXml COM Object

Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell) Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code

WindowsPowerShell Script
TA0002 · ExecutionT1059.001 · PowerShell
François Hubaut+1Wed Jan 19windows
Detectionhightest

Malicious Nishang PowerShell Commandlets

Detects Commandlet names and arguments from the Nishang exploitation framework

WindowsPowerShell Script
TA0002 · ExecutionT1059.001 · PowerShell
Alec CostelloThu May 16windows
Detectionhightest

NTFS Alternate Data Stream

Detects writing data into NTFS alternate data streams from powershell. Needs Script Block Logging.

WindowsPowerShell Script
TA0005 · Defense EvasionT1564.004 · NTFS File AttributesTA0002 · ExecutionT1059.001 · PowerShell
Sami RuohonenTue Jul 24windows
Detectionhightest

PowerShell Web Access Installation - PsScript

Detects the installation and configuration of PowerShell Web Access, which could be used for remote access and potential abuse

WindowsPowerShell Script
TA0003 · PersistenceTA0002 · ExecutionT1059.001 · PowerShell
Michael HaagTue Sep 03windows
Detectionhightest

PowerView PowerShell Cmdlets - ScriptBlock

Detects Cmdlet names from PowerView of the PowerSploit exploitation framework.

WindowsPowerShell Script
TA0002 · ExecutionT1059.001 · PowerShell
Bhabesh RajTue May 18windows
Detectionhightest

PowerShell Credential Prompt

Detects PowerShell calling a credential prompt

WindowsPowerShell Script
TA0006 · Credential AccessTA0002 · ExecutionT1059.001 · PowerShell
John Lambert+1Sun Apr 09windows
Detectionhightest

PSAsyncShell - Asynchronous TCP Reverse Shell

Detects the use of PSAsyncShell an Asynchronous TCP Reverse Shell written in powershell

WindowsPowerShell Script
TA0002 · ExecutionT1059.001 · PowerShell
Nasreddine Bencherchali (Nextron Systems)Tue Oct 04windows
Detectionhightest

PowerShell PSAttack

Detects the use of PSAttack PowerShell hack tool

WindowsPowerShell Script
TA0002 · ExecutionT1059.001 · PowerShell
Sean Metcalf (source)+1Sun Mar 05windows
Detectionmediumtest

PowerShell Remote Session Creation

Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system

WindowsPowerShell Script
TA0002 · ExecutionT1059.001 · PowerShell
François HubautThu Jan 06windows
Detectionmediumtest

Change PowerShell Policies to an Insecure Level - PowerShell

Detects changing the PowerShell script execution policy to a potentially insecure level using the "Set-ExecutionPolicy" cmdlet.

WindowsPowerShell Script
TA0002 · ExecutionT1059.001 · PowerShell
François HubautWed Oct 20windows
Detectionhightest

PowerShell ShellCode

Detects Base64 encoded Shellcode

WindowsPowerShell Script
TA0005 · Defense EvasionTA0004 · Privilege EscalationT1055 · Process InjectionTA0002 · Execution+1
David Ledbetter (shellcode)+1Sat Nov 17windows
Detectionhightest

Malicious ShellIntel PowerShell Commandlets

Detects Commandlet names from ShellIntel exploitation scripts.

WindowsPowerShell Script
TA0002 · ExecutionT1059.001 · PowerShell
Max Altgelt (Nextron Systems)+1Mon Aug 09windows
Detectionlowtest

Potential PowerShell Obfuscation Using Character Join

Detects specific techniques often seen used inside of PowerShell scripts to obfscuate Alias creation

WindowsPowerShell Script
TA0005 · Defense EvasionTA0002 · ExecutionT1027 · Obfuscated Files or InformationT1059.001 · PowerShell
Nasreddine Bencherchali (Nextron Systems)Mon Jan 09windows
Detectionmediumtest

Suspicious PowerShell Download - Powershell Script

Detects suspicious PowerShell download command

WindowsPowerShell Script
TA0002 · ExecutionT1059.001 · PowerShell
Florian Roth (Nextron Systems)Sun Mar 05windows
Detectionhightest

Suspicious PowerShell Invocations - Generic

Detects suspicious PowerShell invocation command parameters

WindowsPowerShell Script
TA0002 · ExecutionT1059.001 · PowerShell
Florian Roth (Nextron Systems)Sun Mar 12windows
Detectionhightest

Suspicious PowerShell Invocations - Specific

Detects suspicious PowerShell invocation command parameters

WindowsPowerShell Script
TA0002 · ExecutionT1059.001 · PowerShell
Florian Roth (Nextron Systems)+1Sun Mar 05windows
Detectionmediumtest

Potential Suspicious PowerShell Keywords

Detects potentially suspicious keywords that could indicate the use of a PowerShell exploitation framework

WindowsPowerShell Script
TA0002 · ExecutionT1059.001 · PowerShell
Florian Roth (Nextron Systems)+2Mon Feb 11windows
Detectionlowtest

Potential PowerShell Obfuscation Using Alias Cmdlets

Detects Set-Alias or New-Alias cmdlet usage. Which can be use as a mean to obfuscate PowerShell scripts

WindowsPowerShell Script
TA0005 · Defense EvasionTA0002 · ExecutionT1027 · Obfuscated Files or InformationT1059.001 · PowerShell
François HubautSun Jan 08windows
Detectionmediumtest

Usage Of Web Request Commands And Cmdlets - ScriptBlock

Detects the use of various web request commands with commandline tools and Windows PowerShell cmdlets (including aliases) via PowerShell scriptblock logs

WindowsPowerShell Script
TA0002 · ExecutionT1059.001 · PowerShell
James PembertonThu Oct 24windows
Detectionhightest

Potential WinAPI Calls Via PowerShell Scripts

Detects use of WinAPI functions in PowerShell scripts

WindowsPowerShell Script
TA0002 · ExecutionT1059.001 · PowerShellT1106 · Native API
Nasreddine Bencherchali (Nextron Systems)+2Tue Oct 06windows
12345