Detects PowerShell scripts attempting to disable scheduled scanning and other parts of Windows Defender ATP or set default actions to allow.

Read More

Detects scriptblock text keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation.

Read More

Detects the installation and configuration of PowerShell Web Access, which could be used for remote access and potential abuse

Read More

Detects calls to "get-process" where the output is piped to a "where-object" filter to search for security solution processes. Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus

Read More

Detects TOKEN OBFUSCATION technique from Invoke-Obfuscation

Read More

Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365.

Read More

Detects usage of the "Set-Service" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as "sc.exe", "Get-Service"...etc. (Works only in powershell 7)

Read More

Adversaries may acquire credentials from web browsers by reading files specific to the target browser. Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future. Web browsers typically store the credentials in an encrypted format within a credential store.

Read More

Detects usage of the "Get-AdComputer" to enumerate Computers or properties within Active Directory.

Read More

Detects usage of the "Get-AdGroup" cmdlet to enumerate Groups within Active Directory

Read More

Adversaries may attempt to find domain-level groups and permission settings. The knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as domain administrators.

Read More

Detects usage of the "Add-WindowsCapability" cmdlet to add Windows capabilities. Notable capabilities could be "OpenSSH" and others.

Read More

Detects code fragments found in small and obfuscated AMSI bypass PowerShell scripts

Read More

Adversaries may enumerate browser bookmarks to learn more about compromised hosts. Browser bookmarks may reveal personal information about users (ex: banking sites, interests, social media, etc.) as well as details about internal network resources such as servers, tools/dashboards, or other related infrastructure.

Read More

Once established within a system or network, an adversary may use automated techniques for collecting internal data.

Read More

Detects calls to cmdlets inside of PowerShell scripts that are used to export certificates from the local certificate store. Threat actors were seen abusing this to steal private keys from compromised machines.

Read More

Detects changing the PowerShell script execution policy to a potentially insecure level using the "Set-ExecutionPolicy" cmdlet.

Read More

Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.

Read More

Identifies when a user attempts to clear console history. An adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion.

Read More

Adversaries may abuse Microsoft Office add-ins to obtain persistence on a compromised system. Office add-ins can be used to add functionality to Office programs

Read More

Detects usage of the Get-ADComputer cmdlet to collect computer information and output it to a file

Read More

Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information

Read More

Deletes Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil

Read More

Detects deletion of Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil

Read More

Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable.

Read More

Enumerates Active Directory to determine computers that are joined to the domain

Read More

Detects usage of powershell cmdlets to disable or remove ETW trace sessions

Read More

Detects scripts or commands that disabled the Powershell command history by removing psreadline module

Read More

Detect built in PowerShell cmdlet Disable-WindowsOptionalFeature, Deployment Image Servicing and Management tool. Similar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images

Read More

Detects execution and usage of the DSInternals PowerShell module. Which can be used to perform what might be considered as suspicious activity such as dumping DPAPI backup keys or manipulating NTDS.DIT files. The DSInternals PowerShell Module exposes several internal features of Active Directory and Azure Active Directory. These include FIDO2 and NGC key auditing, offline ntds.dit file manipulation, password auditing, DC recovery from IFM backups and password hash calculation.

Read More

Adversaries may search for common password storage locations to obtain user credentials. Passwords are stored in several places on a system, depending on the operating system or application holding the credentials.

Read More

Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.

Read More

Adversaries may search for common password storage locations to obtain user credentials. Passwords are stored in several places on a system, depending on the operating system or application holding the credentials.

Read More

Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.

Read More

Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.

Read More

Detects AS-REP roasting is an attack that is often-overlooked. It is not very common as you have to explicitly set accounts that do not require pre-authentication.

Read More

Detects the execution of the hacktool Rubeus using specific command line flags

Read More

Detects powershell scripts that import modules from suspicious directories

Read More

Detects Obfuscated use of Clip.exe to execute PowerShell

Read More

Detects Obfuscated Powershell via COMPRESS OBFUSCATION

Read More

Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block \u2014

Read More

Detects Obfuscated Powershell via RUNDLL LAUNCHER

Read More

Detects Obfuscated use of stdin to execute PowerShell

Read More

Detects Obfuscated use of Environment Variables to execute PowerShell

Read More

Detects Obfuscated Powershell via VAR++ LAUNCHER

Read More

Detects Obfuscated Powershell via Stdin in Scripts

Read More

Detects Obfuscated Powershell via use Clip.exe in Scripts

Read More

Detects Obfuscated Powershell via use MSHTA in Scripts

Read More

Detects Obfuscated Powershell via use Rundll32 in Scripts

Read More

Detects usage of a PowerShell command to dump the live memory of a Windows machine

Read More

Detects Commandlet names and arguments from the Nishang exploitation framework

Read More

Detects Commandlet names from well-known PowerShell exploitation frameworks

Read More

Detects keywords from well-known PowerShell exploitation frameworks

Read More

Detects Commandlet names from ShellIntel exploitation scripts.

Read More

Adversaries may create a domain account to maintain access to victim systems. Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain..

Read More

Detect malicious GPO modifications can be used to implement many other malicious behaviors.

Read More

Detects writing data into NTFS alternate data streams from powershell. Needs Script Block Logging.

Read More

Detetcts PowerShell activity in which Get-Addefaultdomainpasswordpolicy is used to get the default password policy for an Active Directory domain.

Read More

Detects usage of the "Import-Module" cmdlet to load the "Microsoft.ActiveDirectory.Management.dl" DLL. Which is often used by attackers to perform AD enumeration.

Read More

Detects usage of special strings/null bits in order to potentially bypass AMSI functionalities

Read More

Detects usage of COM objects that can be abused to download files in PowerShell by CLSID

Read More

Detects potential exfiltration attempt via audio file using PowerShell

Read More

Detects usage of "Reflection.Assembly" load functions to dynamically load assemblies in memory

Read More

Detects Invoke-Mimikatz PowerShell script and alike. Mimikatz is a credential dumper capable of obtaining plaintext Windows account logins and passwords.

Read More

Detects PowerShell scripts that contains reference to keystroke capturing functions

Read More

Detects the execution of powershell scripts with calls to the "Start-NetEventSession" cmdlet. Which allows an attacker to start event and packet capture for a network event session. Adversaries may attempt to capture network to gather information over the course of an operation. Data captured via this technique may include user credentials, especially those sent over an insecure, unencrypted protocol.

Read More

Detects calls to "Add-Content" cmdlet in order to modify the content of the user profile and potentially adding suspicious commands for persistence

Read More

Detects usage of certain functions and keywords that are used to manipulate security descriptors in order to potentially set a backdoor. As seen used in the DAMP project.

Read More

Detects Set-Alias or New-Alias cmdlet usage. Which can be use as a mean to obfuscate PowerShell scripts

Read More

Detects specific techniques often seen used inside of PowerShell scripts to obfscuate Alias creation

Read More

Detects PowerShell module creation where the module Contents are set to "function Get-VMRemoteFXPhysicalVideoAdapter". This could be a sign of potential abuse of the "RemoteFXvGPUDisablement.exe" binary which is known to be vulnerable to module load-order hijacking.

Read More

Detects potentially suspicious keywords that could indicate the use of a PowerShell exploitation framework

Read More

Detects usage of the built-in PowerShell cmdlet "Enable-WindowsOptionalFeature" used as a Deployment Image Servicing and Management tool. Similar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images

Read More

Detects use of WinAPI functions in PowerShell scripts

Read More

Detects usage of the WMI class "Win32_NTEventlogFile" in a potentially suspicious way (delete, backup, change permissions, etc.) from a PowerShell script

Read More

Detects powershell scripts that adds a Name Resolution Policy Table (NRPT) rule for the specified namespace. This will bypass the default DNS server and uses a specified server for answering the query.

Read More

Detects execution of ADRecon.ps1 for AD reconnaissance which has been reported to be actively used by FIN7

Read More

Detects creation of a local user via PowerShell

Read More

Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code

Read More

Detects PowerShell calling a credential prompt

Read More

Detects when when a mounted share is removed. Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation

Read More

Adversaries may employ various system checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox

Read More

Detects technique used by MAZE ransomware to enumerate directories using Powershell

Read More

DNSExfiltrator allows for transferring (exfiltrate) a file over a DNS request covert channel

Read More

Adversaries may abuse the Windows command shell for execution. The Windows command shell (cmd) is the primary command prompt on Windows systems. The Windows command prompt can be used to control almost any aspect of a system, with various permission levels required for different subsets of commands. Batch files (ex: .bat or .cmd) also provide the shell with a list of sequential commands to run, as well as normal scripting operations such as conditionals and loops. Common uses of batch files include long or repetitive tasks, or the need to run the same set of commands on multiple system

Read More

Detects a Get-Process command on lsass process, which is in almost all cases a sign of malicious activity

Read More

Detects call to "Win32_QuickFixEngineering" in order to enumerate installed hotfixes often used in "enum" scripts by attackers

Read More

Detects Exfiltration Over Alternative Protocol - ICMP. Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel.

Read More

Uses PowerShell to install/copy a file into a system directory such as "System32" or "SysWOW64"

Read More

Adversaries may log user keystrokes to intercept credentials as the user types them.

Read More

Adversaries may target user email on local systems to collect sensitive information. Files containing email data can be acquired from a users local system, such as Outlook storage or cache files.

Read More

Adversaries may manipulate accounts to maintain access to victim systems. Account manipulation may consist of any action that preserves adversary access to a compromised account, such as modifying credentials or permission groups

Read More

Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell) Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code

Read More

Detects the use of PSAttack PowerShell hack tool

Read More

Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system

Read More

Detects PowerShell scripts set ACL to of a file or a folder

Read More

Detects PowerShell scripts that have capabilities to read files, loop through them and resolve DNS host entries.

Read More

Detects PowerShell scripts leveraging the "Invoke-WebRequest" cmdlet to send data via either "PUT" or "POST" method.

Read More

Detect adversaries enumerate sensitive files

Read More

Detects PowerShell scripts to set the ACL to a file in the Windows folder

Read More

Detects Base64 encoded Shellcode

Read More

Storing files in Alternate Data Stream (ADS) similar to Astaroth malware.

Read More

Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.

Read More

Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder.

Read More

Adversaries may establish persistence and elevate privileges by executing malicious content triggered by a Windows Management Instrumentation (WMI) event subscription.

Read More

Detects the execution of an MSI file using PowerShell and the WMI Win32_Product class

Read More

Detects usage of the "Write-EventLog" cmdlet with 'RawData' flag. The cmdlet can be levreage to write malicious payloads to the EventLog and then retrieve them later for later use

Read More

Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell) Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code

Read More

Detects Cmdlet names from PowerView of the PowerSploit exploitation framework.

Read More

Detects the use of PSAsyncShell an Asynchronous TCP Reverse Shell written in powershell

Read More

Once established within a system or network, an adversary may use automated techniques for collecting internal data

Read More

Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR. The COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR). These profiliers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR. (Citation: Microsoft Profiling Mar 2017) (Citation: Microsoft COR_PROFILER Feb 2013)

Read More

Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts.

Read More

An adversary may deface systems internal to an organization in an attempt to intimidate or mislead users. This may take the form of modifications to internal websites, or directly to user systems with the replacement of the desktop wallpaper

Read More

utilize native PowerShell Identity modules to query the domain to extract the Service Principal Names for a single computer. This behavior is typically used during a kerberos or silver ticket attack. A successful execution will output the SPNs for the endpoint in question.

Read More

Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers.

Read More

Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for registry to redirect from the originally specified executable to one that they control, in order to launch their own code at Service start. Windows stores local service configuration information in the Registry under HKLM\SYSTEM\CurrentControlSet\Services

Read More

Detects Silence EmpireDNSAgent as described in the Group-IP report

Read More

Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to systematically guess the password using a repetitive or iterative mechanism

Read More

Detects usage of known powershell cmdlets such as "Clear-EventLog" to clear the Windows event logs

Read More

Detects attempts of decoding a base64 Gzip archive in a PowerShell script. This technique is often used as a method to load malicious content into memory afterward.

Read More

Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.

Read More

Adversaries may attempt to find local system groups and permission settings. The knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group.

Read More

The DSInternals PowerShell Module exposes several internal features of Active Directory and Azure Active Directory. These include FIDO2 and NGC key auditing, offline ntds.dit file manipulation, password auditing, DC recovery from IFM backups and password hash calculation.

Read More

Detects suspicious Powershell code that execute COM Objects

Read More

Detect use of Get-GPO to get one GPO or all the GPOs in a domain.

Read More

Adversaries may carry out malicious operations using a virtual instance to avoid detection

Read More

Adversaries may abuse container files such as disk image (.iso, .vhd) file formats to deliver malicious payloads that may not be tagged with MOTW.

Read More

Open a handle on the drive volume via the \.\ DOS device path specifier and perform direct access read of the first few bytes of the volume.

Read More

Adversaries may abuse container files such as disk image (.iso, .vhd) file formats to deliver malicious payloads that may not be tagged with MOTW.

Read More

Adversaries may use to interact with a remote network share using Server Message Block (SMB). The adversary may then perform actions as the logged-on user.

Read More

Detects suspicious PowerShell download command

Read More

Detects the use of PowerShell to identify the current logged user.

Read More

Detects suspicious PowerShell invocation command parameters

Read More

Detects suspicious PowerShell invocation command parameters

Read More

Detects usage of the powerShell New-MailboxExportRequest Cmdlet to exports a mailbox to a remote or local share, as used in ProxyShell exploitations

Read More

Detects usage of the powerShell Set-Mailbox Cmdlet to set-up an SMTP forwarding rule.

Read More

Adversaries may use hidden windows to conceal malicious activity from the plain sight of users. In some cases, windows that would typically be displayed when an application carries out an operation can be hidden

Read More

Get the processes that are running on the local computer.

Read More

Detects usage of the "Set-Service" powershell cmdlet to configure a new SecurityDescriptor that allows a service to be hidden from other utilities such as "sc.exe", "Get-Service"...etc. (Works only in powershell 7)

Read More

Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol.

Read More

Powershell use PassThru option to start in background

Read More

Detects powershell scripts that creates sockets/listeners which could be indicative of tunneling activity

Read More

Remove the Zone.Identifier alternate data stream which identifies the file as downloaded from the internet.

Read More

Detect use of X509Enrollment

Read More

Detects SyncAppvPublishingServer process execution which usually utilized by adversaries to bypass PowerShell execution restrictions.

Read More

Detects attempts to remove Windows Defender configuration using the 'MpPreference' cmdlet

Read More

Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088(Citation: Symantec Elfin Mar 2019) or port 587(Citation: Fortinet Agent Tesla April 2018) as opposed to the traditional port 443.

Read More

Detects execution of "TroubleshootingPack" cmdlets to leverage CVE-2022-30190 or action similar to "msdt" lolbin (as described in LOLBAS)

Read More

Detects usage of the "Add-AppxPackage" or it's alias "Add-AppPackage" to install unsigned AppX packages

Read More

Detects the use of various web request commands with commandline tools and Windows PowerShell cmdlets (including aliases) via PowerShell scriptblock logs

Read More

Detects usage of the Get-ADUser cmdlet to collect user information and output it to a file

Read More

Detects execution of a PowerShell script that contains calls to the "Veeam.Backup" class, in order to dump stored credentials.

Read More

Detects modifications to the Windows Defender configuration settings using PowerShell to add exclusions

Read More

Detects when a user disables the Windows Firewall via a Profile to help evade defense.

Read More

Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations

Read More

Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Registry entries in HKLM\Software[Wow6432Node]Microsoft\Windows NT\CurrentVersion\Winlogon\ and HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ are used to manage additional helper programs and functionalities that support Winlogon. Malicious modifications to these Registry keys may cause Winlogon to load and execute malicious DLLs and/or executables.

Read More

Detects known WMI recon method to look for unquoted service paths, often used by pentest inside of powershell scripts attackers enum scripts

Read More

Detects parameters used by WMImplant

Read More

Detects PowerShell scripts that make use of the "Compress-Archive" Cmdlet in order to compress folders and files where the output is stored in a potentially suspicious location that is used often by malware for exfiltration. An adversary might compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.

Read More