Add Windows Capability Via PowerShell Cmdlet
Detects usage of the "Add-WindowsCapability" cmdlet to add Windows capabilities. Notable capabilities could be "OpenSSH" and others.
Sigma rule (View on GitHub)
1title: Add Windows Capability Via PowerShell Cmdlet
2id: b36d01a3-ddaf-4804-be18-18a6247adfcd
3related:
4 - id: 155c7fd5-47b4-49b2-bbeb-eb4fab335429
5 type: similar
6status: test
7description: Detects usage of the "Add-WindowsCapability" cmdlet to add Windows capabilities. Notable capabilities could be "OpenSSH" and others.
8references:
9 - https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse?tabs=powershell
10 - https://www.virustotal.com/gui/file/af1c82237b6e5a3a7cdbad82cc498d298c67845d92971bada450023d1335e267/content
11author: Nasreddine Bencherchali (Nextron Systems)
12date: 2023-01-22
13modified: 2023-05-09
14tags:
15 - attack.execution
16logsource:
17 product: windows
18 category: process_creation
19detection:
20 selection_img:
21 - Image|endswith:
22 - '\powershell.exe'
23 - '\pwsh.exe'
24 - OriginalFileName:
25 - 'PowerShell.EXE'
26 - 'pwsh.dll'
27 selection_cmdlet:
28 CommandLine|contains: 'Add-WindowsCapability'
29 selection_capa:
30 CommandLine|contains: 'OpenSSH.' # For both "OpenSSH.Server" and "OpenSSH.Client"
31 condition: all of selection_*
32falsepositives:
33 - Legitimate usage of the capabilities by administrators or users. Add additional filters accordingly.
34level: medium
References
-
Learn how to install and connect to remote machines using the OpenSSH Client and Server for Windows.
Read More -
Related rules
- AADInternals PowerShell Cmdlets Execution - ProccessCreation
- AADInternals PowerShell Cmdlets Execution - PsScript
- AMSI Bypass Pattern Assembly GetType
- APT29 2018 Phishing Campaign CommandLine Indicators
- AWS EC2 Startup Shell Script Change