Add Windows Capability Via PowerShell Script
Detects usage of the "Add-WindowsCapability" cmdlet to add Windows capabilities. Notable capabilities could be "OpenSSH" and others.
Sigma rule (View on GitHub)
1title: Add Windows Capability Via PowerShell Script
2id: 155c7fd5-47b4-49b2-bbeb-eb4fab335429
3related:
4 - id: b36d01a3-ddaf-4804-be18-18a6247adfcd
5 type: similar
6status: test
7description: Detects usage of the "Add-WindowsCapability" cmdlet to add Windows capabilities. Notable capabilities could be "OpenSSH" and others.
8references:
9 - https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse?tabs=powershell
10 - https://www.virustotal.com/gui/file/af1c82237b6e5a3a7cdbad82cc498d298c67845d92971bada450023d1335e267/content
11author: Nasreddine Bencherchali (Nextron Systems)
12date: 2023-01-22
13modified: 2023-05-09
14tags:
15 - attack.execution
16logsource:
17 product: windows
18 category: ps_script
19 definition: 'Requirements: Script Block Logging must be enabled'
20detection:
21 selection_cmdlet:
22 ScriptBlockText|contains: 'Add-WindowsCapability '
23 selection_capa:
24 ScriptBlockText|contains: '-Name OpenSSH.' # For both "OpenSSH.Server" and "OpenSSH.Client"
25 condition: all of selection_*
26falsepositives:
27 - Legitimate usage of the capabilities by administrators or users. Add additional filters accordingly.
28level: medium
References
-
Learn how to install and connect to remote machines using the OpenSSH Client and Server for Windows.
Read More -
Related rules
- AADInternals PowerShell Cmdlets Execution - ProccessCreation
- AADInternals PowerShell Cmdlets Execution - PsScript
- AMSI Bypass Pattern Assembly GetType
- APT29 2018 Phishing Campaign CommandLine Indicators
- AWS EC2 Startup Shell Script Change