Sigma Rules
217 rules found for "attack.T1059.001"
Suspicious Execution of Powershell with Base64
Commandline to launch powershell with a base64 payload
Potential Encoded PowerShell Patterns In CommandLine
Detects specific combinations of encoding methods in PowerShell via the commandline
Powershell Inline Execution From A File
Detects inline execution of PowerShell code from a file
Certificate Exported Via PowerShell
Detects calls to cmdlets that are used to export certificates from the local certificate store. Threat actors were seen abusing this to steal private keys from compromised machines.
Base64 Encoded PowerShell Command Detected
Detects usage of the "FromBase64String" function in the commandline which is used to decode a base64 encoded string
Suspicious PowerShell IEX Execution Patterns
Detects suspicious ways to run Invoke-Execution using IEX alias
Import PowerShell Modules From Suspicious Directories - ProcCreation
Detects powershell scripts that import modules from suspicious directories
Malicious PowerShell Commandlets - ProcessCreation
Detects Commandlet names from well-known PowerShell exploitation frameworks
Non Interactive PowerShell Process Spawned
Detects non-interactive PowerShell activity by looking at the "powershell" process with a non-user GUI process such as "explorer.exe" as a parent.
Potential PowerShell Obfuscation Via WCHAR/CHAR
Detects suspicious encoded character syntax often used for defense evasion
Execution of Powershell Script in Public Folder
This rule detects execution of PowerShell scripts located in the "C:\Users\Public" folder
Potential Powershell ReverseShell Connection
Detects usage of the "TcpClient" class. Which can be abused to establish remote connections and reverse-shells. As seen used by the Nishang "Invoke-PowerShellTcpOneLine" reverse shell and other.
Suspicious PowerShell Invocation From Script Engines
Detects suspicious powershell invocations from interpreters or unusual programs
Change PowerShell Policies to an Insecure Level
Detects changing the PowerShell script execution policy to a potentially insecure level using the "-ExecutionPolicy" flag.
Exchange PowerShell Snap-Ins Usage
Detects adding and using Exchange PowerShell snap-ins to export mailbox data. As seen used by HAFNIUM and APT27
Suspicious PowerShell Download and Execute Pattern
Detects suspicious PowerShell download patterns that are often used in malicious scripts, stagers or downloaders (make sure that your backend applies the strings case-insensitive)
Suspicious PowerShell Parameter Substring
Detects suspicious PowerShell invocation with a parameter substring
Suspicious PowerShell Parent Process
Detects a suspicious or uncommon parent processes of PowerShell
PowerShell Script Run in AppData
Detects a suspicious command line execution that invokes PowerShell with reference to an AppData folder
Net WebClient Casing Anomalies
Detects PowerShell command line contents that include a suspicious abnormal casing in the Net.Webclient (e.g. nEt.WEbCliEnT) string as used in obfuscation techniques
Suspicious XOR Encoded PowerShell Command
Detects presence of a potentially xor encoded powershell command
Suspicious Schtasks Execution AppData Folder
Detects the creation of a schtask that executes a file from C:\Users\<USER>\AppData\Local
Potential Persistence Via Powershell Search Order Hijacking - Task
Detects suspicious powershell execution via a schedule task where the command ends with an suspicious flags to hide the powershell instance instead of executeing scripts or commands. This could be a sign of persistence via PowerShell "Get-Variable" technique as seen being used in Colibri Loader
Scheduled Task Executing Payload from Registry
Detects the creation of a schtasks that potentially executes a payload stored in the Windows Registry using PowerShell.
Scheduled Task Executing Encoded Payload from Registry
Detects the creation of a schtask that potentially executes a base64 encoded payload stored in the Windows Registry using PowerShell.
Potential Data Exfiltration Activity Via CommandLine Tools
Detects the use of various CLI utilities exfiltrating data via web requests
Hidden Powershell in Link File Pattern
Detects events that appear when a user click on a link file with a powershell command in it
Windows Shell/Scripting Processes Spawning Suspicious Programs
Detects suspicious child processes of a Windows shell and scripting processes such as wscript, rundll32, powershell, mshta...etc.
Usage Of Web Request Commands And Cmdlets
Detects the use of various web request commands with commandline tools and Windows PowerShell cmdlets (including aliases) via CommandLine
Potentially Suspicious WebDAV LNK Execution
Detects possible execution via LNK file accessed on a WebDAV server.
Remote PowerShell Session Host Process (WinRM)
Detects remote PowerShell sections by monitoring for wsmprovhost (WinRM host process) as a parent or child process (sign of an active PowerShell remote session).
Potential WMI Lateral Movement WmiPrvSE Spawned PowerShell
Detects Powershell as a child of the WmiPrvSE process. Which could be a sign of lateral movement via WMI.
Potentially Suspicious Command Executed Via Run Dialog Box - Registry
Detects execution of commands via the run dialog box on Windows by checking values of the "RunMRU" registry key. This technique was seen being abused by threat actors to deceive users into pasting and executing malicious commands, often disguised as CAPTCHA verification steps.
Turla Group Commands May 2020
Detects commands used by Turla group as reported by ESET in May 2020
TropicTrooper Campaign November 2018
Detects TropicTrooper activity, an actor who targeted high-profile organizations in the energy and food and beverage sectors in Asia
Potential Baby Shark Malware Activity
Detects activity that could be related to Baby Shark malware
Potential Emotet Activity
Detects all Emotet like process executions that are not covered by the more generic rules
Operation Wocao Activity
Detects activity mentioned in Operation Wocao report
Operation Wocao Activity - Security
Detects activity mentioned in Operation Wocao report
Exploited CVE-2020-10189 Zoho ManageEngine
Detects the exploitation of Zoho ManageEngine Desktop Central Java Deserialization vulnerability reported as CVE-2020-10189
Suspicious PrinterPorts Creation (CVE-2020-1048)
Detects new commands that add new printer port which point to suspicious file
Greenbug Espionage Group Indicators
Detects tools and process executions used by Greenbug in their May 2020 campaign as reported by Symantec
UNC2452 Process Creation Patterns
Detects a specific process creation patterns as seen used by UNC2452 and provided by Microsoft as Microsoft Defender ATP queries
UNC2452 PowerShell Pattern
Detects a specific PowerShell command line pattern used by the UNC2452 actors as mentioned in Microsoft and Symantec reports
Potential BlackByte Ransomware Activity
Detects command line patterns used by BlackByte ransomware in different operations
CVE-2022-24527 Microsoft Connected Cache LPE
Detects files created during the local privilege exploitation of CVE-2022-24527 Microsoft Connected Cache
Potential Bumblebee Remote Thread Creation
Detects remote thread injection events based on action seen used by bumblebee
ChromeLoader Malware Execution
Detects execution of ChromeLoader malware via a registered scheduled task