Phoenix
Sigma IntelligenceBeta
Rule Library

Sigma Rules

217 rules found for "attack.T1059.001"

3,707Total
3,116Detection
451Emerging
137Hunting
Detectionhightest

AWS EC2 Startup Shell Script Change

Detects changes to the EC2 instance startup script. The shell script will be executed as root/SYSTEM every time the specific instances are booted up.

AWScloudtrail
TA0002 · ExecutionT1059.001 · PowerShellT1059.003 · Windows Command ShellT1059.004 · Unix Shell
falokerWed Feb 12cloud
Detectionmediumtest

AppLocker Prevented Application or Script from Running

Detects when AppLocker prevents the execution of an Application, DLL, Script, MSI, or Packaged-App from running.

Windowsapplocker
TA0002 · ExecutionT1204.002 · Malicious FileT1059.001 · PowerShellT1059.003 · Windows Command Shell+3
Pushkarev DmitrySun Jun 28windows
Detectionhightest

Invoke-Obfuscation CLIP+ Launcher - Security

Detects Obfuscated use of Clip.exe to execute PowerShell

Windowssecurity
TA0005 · Defense EvasionT1027 · Obfuscated Files or InformationTA0002 · ExecutionT1059.001 · PowerShell
Jonathan Cheong+1Tue Oct 13windows
Detectionhightest

Invoke-Obfuscation STDIN+ Launcher - Security

Detects Obfuscated use of stdin to execute PowerShell

Windowssecurity
TA0005 · Defense EvasionT1027 · Obfuscated Files or InformationTA0002 · ExecutionT1059.001 · PowerShell
Jonathan Cheong+1Thu Oct 15windows
Detectionhightest

Invoke-Obfuscation VAR+ Launcher - Security

Detects Obfuscated use of Environment Variables to execute PowerShell

Windowssecurity
TA0005 · Defense EvasionT1027 · Obfuscated Files or InformationTA0002 · ExecutionT1059.001 · PowerShell
Jonathan Cheong+1Thu Oct 15windows
Detectionmediumtest

Invoke-Obfuscation COMPRESS OBFUSCATION - Security

Detects Obfuscated Powershell via COMPRESS OBFUSCATION

Windowssecurity
TA0005 · Defense EvasionT1027 · Obfuscated Files or InformationTA0002 · ExecutionT1059.001 · PowerShell
Timur Zinniatullin+1Sun Oct 18windows
Detectionmediumtest

Invoke-Obfuscation RUNDLL LAUNCHER - Security

Detects Obfuscated Powershell via RUNDLL LAUNCHER

Windowssecurity
TA0005 · Defense EvasionT1027 · Obfuscated Files or InformationTA0002 · ExecutionT1059.001 · PowerShell
Timur Zinniatullin+1Sun Oct 18windows
Detectionhightest

Invoke-Obfuscation Via Stdin - Security

Detects Obfuscated Powershell via Stdin in Scripts

Windowssecurity
TA0005 · Defense EvasionT1027 · Obfuscated Files or InformationTA0002 · ExecutionT1059.001 · PowerShell
Nikita Nazarov+1Mon Oct 12windows
Detectionhightest

Invoke-Obfuscation Via Use Clip - Security

Detects Obfuscated Powershell via use Clip.exe in Scripts

Windowssecurity
TA0005 · Defense EvasionT1027 · Obfuscated Files or InformationTA0002 · ExecutionT1059.001 · PowerShell
Nikita Nazarov+1Fri Oct 09windows
Detectionhightest

Invoke-Obfuscation Via Use MSHTA - Security

Detects Obfuscated Powershell via use MSHTA in Scripts

Windowssecurity
TA0005 · Defense EvasionT1027 · Obfuscated Files or InformationTA0002 · ExecutionT1059.001 · PowerShell
Nikita Nazarov+1Fri Oct 09windows
Detectionhightest

Invoke-Obfuscation Via Use Rundll32 - Security

Detects Obfuscated Powershell via use Rundll32 in Scripts

Windowssecurity
TA0005 · Defense EvasionT1027 · Obfuscated Files or InformationTA0002 · ExecutionT1059.001 · PowerShell
Nikita Nazarov+1Fri Oct 09windows
Detectionhightest

Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - Security

Detects Obfuscated Powershell via VAR++ LAUNCHER

Windowssecurity
TA0005 · Defense EvasionT1027 · Obfuscated Files or InformationTA0002 · ExecutionT1059.001 · PowerShell
Timur Zinniatullin+1Tue Oct 13windows
Detectionhightest

Remote PowerShell Sessions Network Connections (WinRM)

Detects basic PowerShell Remoting (WinRM) by monitoring for network inbound connections to ports 5985 OR 5986

Windowssecurity
TA0002 · ExecutionT1059.001 · PowerShell
Roberto Rodriguez (Cyb3rWard0g)Thu Sep 12windows
Detectionhightest

Invoke-Obfuscation CLIP+ Launcher - System

Detects Obfuscated use of Clip.exe to execute PowerShell

Windowssystem
TA0005 · Defense EvasionT1027 · Obfuscated Files or InformationTA0002 · ExecutionT1059.001 · PowerShell
Jonathan Cheong+1Tue Oct 13windows
Detectionhightest

Invoke-Obfuscation STDIN+ Launcher - System

Detects Obfuscated use of stdin to execute PowerShell

Windowssystem
TA0005 · Defense EvasionT1027 · Obfuscated Files or InformationTA0002 · ExecutionT1059.001 · PowerShell
Jonathan Cheong+1Thu Oct 15windows
Detectionhightest

Invoke-Obfuscation VAR+ Launcher - System

Detects Obfuscated use of Environment Variables to execute PowerShell

Windowssystem
TA0005 · Defense EvasionT1027 · Obfuscated Files or InformationTA0002 · ExecutionT1059.001 · PowerShell
Jonathan Cheong+1Thu Oct 15windows
Detectionmediumtest

Invoke-Obfuscation COMPRESS OBFUSCATION - System

Detects Obfuscated Powershell via COMPRESS OBFUSCATION

Windowssystem
TA0005 · Defense EvasionT1027 · Obfuscated Files or InformationTA0002 · ExecutionT1059.001 · PowerShell
Timur Zinniatullin+1Sun Oct 18windows
Detectionmediumtest

Invoke-Obfuscation RUNDLL LAUNCHER - System

Detects Obfuscated Powershell via RUNDLL LAUNCHER

Windowssystem
TA0005 · Defense EvasionT1027 · Obfuscated Files or InformationTA0002 · ExecutionT1059.001 · PowerShell
Timur Zinniatullin+1Sun Oct 18windows
Detectionhightest

Invoke-Obfuscation Via Stdin - System

Detects Obfuscated Powershell via Stdin in Scripts

Windowssystem
TA0005 · Defense EvasionT1027 · Obfuscated Files or InformationTA0002 · ExecutionT1059.001 · PowerShell
Nikita Nazarov+1Mon Oct 12windows
Detectionhightest

Invoke-Obfuscation Via Use Clip - System

Detects Obfuscated Powershell via use Clip.exe in Scripts

Windowssystem
TA0005 · Defense EvasionT1027 · Obfuscated Files or InformationTA0002 · ExecutionT1059.001 · PowerShell
Nikita Nazarov+1Fri Oct 09windows
Detectionhightest

Invoke-Obfuscation Via Use MSHTA - System

Detects Obfuscated Powershell via use MSHTA in Scripts

Windowssystem
TA0005 · Defense EvasionT1027 · Obfuscated Files or InformationTA0002 · ExecutionT1059.001 · PowerShell
Nikita Nazarov+1Fri Oct 09windows
Detectionhightest

Invoke-Obfuscation Via Use Rundll32 - System

Detects Obfuscated Powershell via use Rundll32 in Scripts

Windowssystem
TA0005 · Defense EvasionT1027 · Obfuscated Files or InformationTA0002 · ExecutionT1059.001 · PowerShell
Nikita Nazarov+1Fri Oct 09windows
Detectionhightest

Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - System

Detects Obfuscated Powershell via VAR++ LAUNCHER

Windowssystem
TA0005 · Defense EvasionT1027 · Obfuscated Files or InformationTA0002 · ExecutionT1059.001 · PowerShell
Timur Zinniatullin+1Tue Oct 13windows
Detectionmediumtest

Remote Thread Creation Via PowerShell In Uncommon Target

Detects the creation of a remote thread from a Powershell process in an uncommon target process

WindowsRemote Thread Creation
TA0005 · Defense EvasionTA0002 · ExecutionT1218.011 · Rundll32T1059.001 · PowerShell
Florian Roth (Nextron Systems)Mon Jun 25windows
Detectionhightest

BloodHound Collection Files

Detects default file names outputted by the BloodHound collection tool SharpHound

WindowsFile Event
TA0007 · DiscoveryT1087.001 · Local AccountT1087.002 · Domain AccountT1482 · Domain Trust Discovery+4
C.J. MayTue Aug 09windows
Detectionhightest

Malicious PowerShell Scripts - FileCreation

Detects the creation of known offensive powershell scripts used for exploitation

WindowsFile Event
TA0002 · ExecutionT1059.001 · PowerShell
Markus Neis+3Sat Apr 07windows
Detectionhightest

Suspicious Interactive PowerShell as SYSTEM

Detects the creation of files that indicator an interactive use of PowerShell in the SYSTEM user context

WindowsFile Event
TA0002 · ExecutionT1059.001 · PowerShell
Florian Roth (Nextron Systems)Tue Dec 07windows
Detectionmediumtest

PowerShell Core DLL Loaded By Non PowerShell Process

Detects loading of essential DLLs used by PowerShell by non-PowerShell process. Detects behavior similar to meterpreter's "load powershell" extension.

WindowsImage Load (DLL)
T1059.001 · PowerShellTA0002 · Execution
Tom Kern+5Thu Nov 14windows
Detectionmediumtest

Suspicious WSMAN Provider Image Loads

Detects signs of potential use of the WSMAN provider from uncommon processes locally and remote execution.

WindowsImage Load (DLL)
TA0002 · ExecutionT1059.001 · PowerShellTA0008 · Lateral MovementT1021.003 · Distributed Component Object Model
Roberto Rodriguez (Cyb3rWard0g)+1Wed Jun 24windows
Detectionhightest

Potential Remote PowerShell Session Initiated

Detects a process that initiated a network connection over ports 5985 or 5986 from a non-network service account. This could potentially indicates a remote PowerShell connection.

WindowsNetwork Connection
TA0002 · ExecutionT1059.001 · PowerShellTA0008 · Lateral MovementT1021.006 · Windows Remote Management
Roberto Rodriguez (Cyb3rWard0g)Thu Sep 12windows
Detectionmediumtest

Alternate PowerShell Hosts Pipe

Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe

WindowsNamed Pipe Created
TA0002 · ExecutionT1059.001 · PowerShell
Roberto Rodriguez (Cyb3rWard0g)+1Thu Sep 12windows
Detectioninformationaltest

New PowerShell Instance Created

Detects the execution of PowerShell via the creation of a named pipe starting with PSHost

WindowsNamed Pipe Created
TA0002 · ExecutionT1059.001 · PowerShell
Roberto Rodriguez (Cyb3rWard0g)+1Thu Sep 12windows
Detectionmediumtest

Nslookup PowerShell Download Cradle

Detects a powershell download cradle using nslookup. This cradle uses nslookup to extract payloads from DNS records.

WindowsPowerShell Classic
TA0002 · ExecutionT1059.001 · PowerShell
Sai Prashanth Pulisetti+1Sat Dec 10windows
Detectionmediumtest

PowerShell Downgrade Attack - PowerShell

Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0

WindowsPowerShell Classic
TA0005 · Defense EvasionTA0002 · ExecutionT1059.001 · PowerShell
Florian Roth (Nextron Systems)+2Wed Mar 22windows
Detectionhightest

PowerShell Called from an Executable Version Mismatch

Detects PowerShell called from an executable by the version mismatch method

WindowsPowerShell Classic
TA0005 · Defense EvasionTA0002 · ExecutionT1059.001 · PowerShell
Sean Metcalf (source)+1Sun Mar 05windows
Detectionlowtest

Remote PowerShell Session (PS Classic)

Detects remote PowerShell sessions

WindowsPowerShell Classic
TA0002 · ExecutionT1059.001 · PowerShellTA0008 · Lateral MovementT1021.006 · Windows Remote Management
Roberto Rodriguez (Cyb3rWard0g)Sat Aug 10windows
Detectionlowtest

Renamed Powershell Under Powershell Channel

Detects a renamed Powershell execution, which is a common technique used to circumvent security controls and bypass detection logic that's dependent on process names and process paths.

WindowsPowerShell Classic
TA0002 · ExecutionTA0005 · Defense EvasionT1059.001 · PowerShellT1036.003 · Rename System Utilities
Harish Segar+1Mon Jun 29windows
Detectionmediumtest

Suspicious PowerShell Download

Detects suspicious PowerShell download command

WindowsPowerShell Classic
TA0002 · ExecutionT1059.001 · PowerShell
Florian Roth (Nextron Systems)Sun Mar 05windows
Detectionmediumtest

Suspicious Non PowerShell WSMAN COM Provider

Detects suspicious use of the WSMAN provider without PowerShell.exe as the host application.

Windowspowershell-classic
TA0002 · ExecutionT1059.001 · PowerShellTA0008 · Lateral MovementT1021.003 · Distributed Component Object Model
Roberto Rodriguez (Cyb3rWard0g)+1Wed Jun 24windows
Detectionmediumtest

Alternate PowerShell Hosts - PowerShell Module

Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe

WindowsPowerShell Module
TA0002 · ExecutionT1059.001 · PowerShell
Roberto Rodriguez (Cyb3rWard0g)Sun Aug 11windows
Detectioncriticaltest

Bad Opsec Powershell Code Artifacts

focuses on trivial artifacts observed in variants of prevalent offensive ps1 payloads, including Cobalt Strike Beacon, PoshC2, Powerview, Letmein, Empire, Powersploit, and other attack payloads that often undergo minimal changes by attackers due to bad opsec.

WindowsPowerShell Module
TA0002 · ExecutionT1059.001 · PowerShell
ok invrep_de+1Fri Oct 09windows
Detectionhightest

Malicious PowerShell Scripts - PoshModule

Detects the execution of known offensive powershell scripts used for exploitation or reconnaissance

WindowsPowerShell Module
TA0002 · ExecutionT1059.001 · PowerShell
François Hubaut+1Mon Jan 23windows
Detectionhightest

Invoke-Obfuscation CLIP+ Launcher - PowerShell Module

Detects Obfuscated use of Clip.exe to execute PowerShell

WindowsPowerShell Module
TA0005 · Defense EvasionT1027 · Obfuscated Files or InformationTA0002 · ExecutionT1059.001 · PowerShell
Jonathan Cheong+1Tue Oct 13windows
Detectionhightest

Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell Module

Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block cited in the reference section below

WindowsPowerShell Module
TA0005 · Defense EvasionT1027 · Obfuscated Files or InformationTA0002 · ExecutionT1059.001 · PowerShell
Daniel Bohannon ( / )+1Fri Nov 08windows
Detectionhightest

Invoke-Obfuscation STDIN+ Launcher - PowerShell Module

Detects Obfuscated use of stdin to execute PowerShell

WindowsPowerShell Module
TA0005 · Defense EvasionT1027 · Obfuscated Files or InformationTA0002 · ExecutionT1059.001 · PowerShell
Jonathan Cheong+1Thu Oct 15windows
Detectionhightest

Invoke-Obfuscation VAR+ Launcher - PowerShell Module

Detects Obfuscated use of Environment Variables to execute PowerShell

WindowsPowerShell Module
TA0005 · Defense EvasionT1027 · Obfuscated Files or InformationTA0002 · ExecutionT1059.001 · PowerShell
Jonathan Cheong+1Thu Oct 15windows
Detectionmediumtest

Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell Module

Detects Obfuscated Powershell via COMPRESS OBFUSCATION

WindowsPowerShell Module
TA0005 · Defense EvasionT1027 · Obfuscated Files or InformationTA0002 · ExecutionT1059.001 · PowerShell
Timur Zinniatullin+1Sun Oct 18windows
Detectionmediumtest

Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell Module

Detects Obfuscated Powershell via RUNDLL LAUNCHER

WindowsPowerShell Module
TA0005 · Defense EvasionT1027 · Obfuscated Files or InformationTA0002 · ExecutionT1059.001 · PowerShell
Timur Zinniatullin+1Sun Oct 18windows
12345