Detects executions of scripts located in potentially suspicious locations such as "/tmp" via a shell such as "bash", "sh", etc.

Detects execution of shells from a parent process located in a temporary (/tmp) directory

Detects execution of binaries located in potentially suspicious locations via "nohup"

Detects processes loading modules related to PCRE.NET package

Detects loading of essential DLLs used by PowerShell, but not by the process powershell.exe. Detects behaviour similar to meterpreter's "load powershell" extension.

Detects the presence of reversed PowerShell commands in the CommandLine. This is often used as a method of obfuscation by attackers

Detects a "regsvr32" execution where the DLL doesn't contain a common file extension.

Detects potential SquiblyTwo attack technique with possible renamed WMIC via Imphash and OriginalFileName fields

Detects suspicious child processes of a Windows shell and scripting processes such as wscript, rundll32, powershell, mshta...etc.

Detects download of certain file types from hosts in suspicious TLDs

Detects executable downloads from suspicious remote systems

Detects suspicious child processes of Wscript/Cscript

Detects Wscript/Cscript executing a file with an uncommon (i.e. non-script) extension

Detects inline windows shell commands redirecting output via the ">" symbol to a suspicious location

Detects scheduled task creation using "schtasks" that contain potentially suspicious or uncommon commands

Detects the presence of the keywords "Wscript", "Shell" and "Run" in the command, which could indicate a suspicious activity

Detects script file execution (.js, .jse, .vba, .vbe, .vbs, .wsf) by Wscript/Cscript

Detects usage of the "Add-WindowsCapability" cmdlet to add Windows capabilities. Notable capabilities could be "OpenSSH" and others.

Detects usage of the "Add-WindowsCapability" cmdlet to add Windows capabilities. Notable capabilities could be "OpenSSH" and others.

Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe

focuses on trivial artifacts observed in variants of prevalent offensive ps1 payloads, including Cobalt Strike Beacon, PoshC2, Powerview, Letmein, Empire, Powersploit, and other attack payloads that often undergo minimal changes by attackers due to bad opsec.

Detects Obfuscated use of Clip.exe to execute PowerShell

Detects Obfuscated Powershell via COMPRESS OBFUSCATION

Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block cited in the reference section below

Detects Obfuscated Powershell via RUNDLL LAUNCHER

Detects Obfuscated use of stdin to execute PowerShell

Detects Obfuscated use of Environment Variables to execute PowerShell

Detects Obfuscated Powershell via VAR++ LAUNCHER

Detects Obfuscated Powershell via Stdin in Scripts

Detects Obfuscated Powershell via use Clip.exe in Scripts

Detects Obfuscated Powershell via use MSHTA in Scripts

Detects Obfuscated Powershell via use Rundll32 in Scripts

Detects Commandlet names from well-known PowerShell exploitation frameworks

Detects the execution of known offensive powershell scripts used for exploitation or reconnaissance

Detects Microsoft Excel loading an Add-In (.xll) file from an uncommon location

Detects non-interactive PowerShell activity by looking at the "powershell" process with a non-user GUI process such as "explorer.exe" as a parent.

Detects creation of the PSEXEC key file. Which is created anytime a PsExec command is executed. It gets written to the file system and will be recorded in the USN Journal on the target system

Detects remote PowerShell sessions

Detects the creation of suspicious files and folders inside the user's AppData folder but not inside any of the common and well known directories (Local, Romaing, LocalLow). This method could be used as a method to bypass detection who exclude the AppData folder in fear of FPs

Detects suspicious PowerShell download command

Detects suspicious PowerShell invocation command parameters

Detects suspicious PowerShell invocation command parameters

Detects the use of various web request commands with commandline tools and Windows PowerShell cmdlets (including aliases) via CommandLine

Detects the use of various web request commands with commandline tools and Windows PowerShell cmdlets (including aliases) via PowerShell scriptblock logs

Detects the creation of binaries in the WinSxS folder by non-system processes

Detects PowerShell download and execution cradles.

Detects file download using curl.exe

Detects remote thread creation from CACTUSTORCH as described in references.

Detects the creation of a remote thread from a Powershell process to another process

Detects the creation of a remote thread from a Powershell process in a rundll32 process