Detects powershell scripts that import modules from suspicious directories

Read More

Detects powershell scripts that import modules from suspicious directories

Read More

Detects Commandlet names and arguments from the Nishang exploitation framework

Read More

Detects the execution of known offensive powershell scripts used for exploitation or reconnaissance

Read More

Detects suspicious powershell execution via a schedule task where the command ends with an suspicious flags to hide the powershell instance instead of executeing scripts or commands. This could be a sign of persistence via PowerShell "Get-Variable" technique as seen being used in Colibri Loader

Read More

Detects Set-Alias or New-Alias cmdlet usage. Which can be use as a mean to obfuscate PowerShell scripts

Read More

Detects specific techniques often seen used inside of PowerShell scripts to obfscuate Alias creation

Read More

Detects calls to base64 encoded WMI class such as "Win32_Shadowcopy", "Win32_ScheduledJob", etc.

Read More

Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell) Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code

Read More

Detects suspicious PowerShell download command

Read More

Detects the use of various web request commands with commandline tools and Windows PowerShell cmdlets (including aliases) via PowerShell scriptblock logs

Read More

Detects execution of the POWERHOLD script seen used by FIN7 as reported by WithSecureLabs

Read More

Detects potential execution of the PowerShell script POWERTRASH

Read More

Detects the creation of a remote thread from a Powershell process in a potentially suspicious target process

Read More

Detects a PowerShell script used by Lace Tempest APT to erase evidence from victim servers by exploiting CVE-2023-47246 as reported by SysAid Team

Read More

Detects a PowerShell script used by Lace Tempest APT to launch their malware loader by exploiting CVE-2023-47246 as reported by SysAid Team

Read More

Detects code execution via Pester.bat (Pester - Powershell Modulte for testing)

Read More

Detects various execution patterns of the CrackMapExec pentesting framework

Read More

Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe

Read More

Detects use of Set-ExecutionPolicy to set insecure policies

Read More

Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block \u2014

Read More

Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block cited in the reference section below

Read More

Detects Obfuscated Powershell via use MSHTA in Scripts

Read More

Detects PowerShell command line contents that include a suspicious abnormal casing in the Net.Webclient (e.g. nEt.WEbCliEnT) string as used in obfuscation techniques

Read More

Detects inline execution of PowerShell code from a file

Read More

Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system

Read More

Detects suspicious ways to download files or content using PowerShell

Read More

Commandline to launch powershell with a base64 payload

Read More

Detects PowerShell command line patterns in combincation with encoded commands that often appear in malware infection chains

Read More

Detects suspicious PowerShell invocation command parameters

Read More

Detects suspicious PowerShell invocation command parameters

Read More

Detects suspicious PowerShell invocation command parameters

Read More

Detects default file names outputted by the BloodHound collection tool SharpHound

Read More

Detects keywords from well-known PowerShell exploitation frameworks

Read More

Detects a powershell download cradle using nslookup. This cradle uses nslookup to extract payloads from DNS records.

Read More

Detects PowerShell called from an executable by the version mismatch method

Read More

Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0

Read More

Detects remote PowerShell sessions

Read More

Detects renamed powershell

Read More

Detects suspicious use of the WSMAN provider without PowerShell.exe as the host application.

Read More

Detects suspicious PowerShell download command

Read More

Detects suspicious powershell process which includes bxor command, alternative obfuscation method to b64 encoded commands.

Read More

Detects files created during the local privilege exploitation of CVE-2022-24527 Microsoft Connected Cache

Read More

Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe

Read More

focuses on trivial artifacts observed in variants of prevalent offensive ps1 payloads, including Cobalt Strike Beacon, PoshC2, Powerview, Letmein, Empire, Powersploit, and other attack payloads that often undergo minimal changes by attackers due to bad opsec.

Read More

Detects usage of the "ConvertTo-SecureString" cmdlet via the commandline. Which is fairly uncommon and could indicate potential suspicious activity

Read More

Detects adding and using Exchange PowerShell snap-ins to export mailbox data. As seen used by HAFNIUM and APT27

Read More

Detects command line parameters used by Bloodhound and Sharphound hack tools

Read More

The CrachMapExec pentesting framework implements a PowerShell obfuscation with some static strings detected by this rule.

Read More

Detects Obfuscated use of Clip.exe to execute PowerShell

Read More

Detects Obfuscated use of Clip.exe to execute PowerShell

Read More

Detects Obfuscated use of Clip.exe to execute PowerShell

Read More

Detects Obfuscated use of Clip.exe to execute PowerShell

Read More

Detects Obfuscated use of Clip.exe to execute PowerShell

Read More

Detects Obfuscated Powershell via COMPRESS OBFUSCATION

Read More

Detects Obfuscated Powershell via COMPRESS OBFUSCATION

Read More

Detects Obfuscated Powershell via COMPRESS OBFUSCATION

Read More

Detects Obfuscated Powershell via COMPRESS OBFUSCATION

Read More

Detects Obfuscated Powershell via COMPRESS OBFUSCATION

Read More

Detects Obfuscated Powershell via RUNDLL LAUNCHER

Read More

Detects Obfuscated Powershell via RUNDLL LAUNCHER

Read More

Detects Obfuscated Powershell via RUNDLL LAUNCHER

Read More

Detects Obfuscated Powershell via RUNDLL LAUNCHER

Read More

Detects Obfuscated use of stdin to execute PowerShell

Read More

Detects Obfuscated use of stdin to execute PowerShell

Read More

Detects Obfuscated use of stdin to execute PowerShell

Read More

Detects Obfuscated use of stdin to execute PowerShell

Read More

Detects Obfuscated use of stdin to execute PowerShell

Read More

Detects Obfuscated use of Environment Variables to execute PowerShell

Read More

Detects Obfuscated use of Environment Variables to execute PowerShell

Read More

Detects Obfuscated use of Environment Variables to execute PowerShell

Read More

Detects Obfuscated use of Environment Variables to execute PowerShell

Read More

Detects Obfuscated use of Environment Variables to execute PowerShell

Read More

Detects Obfuscated Powershell via VAR++ LAUNCHER

Read More

Detects Obfuscated Powershell via VAR++ LAUNCHER

Read More

Detects Obfuscated Powershell via VAR++ LAUNCHER

Read More

Detects Obfuscated Powershell via VAR++ LAUNCHER

Read More

Detects Obfuscated Powershell via VAR++ LAUNCHER

Read More

Detects Obfuscated Powershell via Stdin in Scripts

Read More

Detects Obfuscated Powershell via Stdin in Scripts

Read More

Detects Obfuscated Powershell via Stdin in Scripts

Read More

Detects Obfuscated Powershell via Stdin in Scripts

Read More

Detects Obfuscated Powershell via Stdin in Scripts

Read More

Detects Obfuscated Powershell via use Clip.exe in Scripts

Read More

Detects Obfuscated Powershell via use Clip.exe in Scripts

Read More

Detects Obfuscated Powershell via use Clip.exe in Scripts

Read More

Detects Obfuscated Powershell via use Clip.exe in Scripts

Read More

Detects Obfuscated Powershell via use Clip.exe in Scripts

Read More

Detects Obfuscated Powershell via use MSHTA in Scripts

Read More

Detects Obfuscated Powershell via use MSHTA in Scripts

Read More

Detects Obfuscated Powershell via use MSHTA in Scripts

Read More

Detects Obfuscated Powershell via use MSHTA in Scripts

Read More

Detects Obfuscated Powershell via use Rundll32 in Scripts

Read More

Detects Obfuscated Powershell via use Rundll32 in Scripts

Read More

Detects base64 encoded strings used in hidden malicious PowerShell command lines

Read More

Detects Commandlet names from ShellIntel exploitation scripts.

Read More

Detects non-interactive PowerShell activity by looking at the "powershell" process with a non-user GUI process such as "explorer.exe" as a parent.

Read More

Detects activity that could be related to Baby Shark malware

Read More

Detects the use of various CLI utilities exfiltrating data via web requests

Read More

Detects specific combinations of encoding methods in PowerShell via the commandline

Read More

Detects the PowerShell command lines with special characters

Read More

Detects the presence of reversed PowerShell commands in the CommandLine. This is often used as a method of obfuscation by attackers

Read More

Detects usage of the "TcpClient" class. Which can be abused to establish remote connections and reverse-shells. As seen used by the Nishang "Invoke-PowerShellTcpOneLine" reverse shell and other.

Read More

Detects potentially suspicious keywords that could indicate the use of a PowerShell exploitation framework

Read More

Detects Powershell as a child of the WmiPrvSE process. Which could be a sign of lateral movement via WMI.

Read More

Detects possible execution via LNK file accessed on a WebDAV server.

Read More

Detects execution of ADRecon.ps1 for AD reconnaissance which has been reported to be actively used by FIN7

Read More

Detects usage of a base64 encoded "FromBase64String" cmdlet in a process command line

Read More

Detects usage of a base64 encoded "IEX" cmdlet in a process command line

Read More

Detects UTF-8 and UTF-16 Base64 encoded powershell 'Invoke-' calls

Read More

Detects loading of essential DLLs used by PowerShell, but not by the process powershell.exe. Detects behaviour similar to meterpreter's "load powershell" extension.

Read More

Detects a Powershell process that contains download commands in its command line string

Read More

Detects remote PowerShell connections by monitoring network outbound connections to ports 5985 or 5986 from a non-network service account.

Read More

Detects suspicious powershell process starts with base64 encoded commands (e.g. Emotet)

Read More

Detects a suspicious or uncommon parent processes of PowerShell

Read More

Detects signs of potential use of the WSMAN provider from uncommon processes locally and remote execution.

Read More

Detects presence of a potentially xor encoded powershell command

Read More

Detects a specific process creation patterns as seen used by UNC2452 and provided by Microsoft as Microsoft Defender ATP queries

Read More

Detects suspicious child processes of a Windows shell and scripting processes such as wscript, rundll32, powershell, mshta...etc.

Read More

Detects changes to the EC2 instance startup script. The shell script will be executed as root/SYSTEM every time the specific instances are booted up.

Read More

Detects use of executionpolicy option to set insecure policies

Read More

Detects code execution via Pester.bat (Pester - Powershell Modulte for testing)

Read More

This rule detects execution of PowerShell scripts located in the "C:\Users\Public" folder

Read More

Detects Obfuscated Powershell via use Rundll32 in Scripts

Read More

Detects Obfuscated Powershell via use Rundll32 in Scripts

Read More

Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell) Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code

Read More

Detects a suspicious command line execution that invokes PowerShell with reference to an AppData folder

Read More

Detects the use of PSAsyncShell an Asynchronous TCP Reverse Shell written in powershell

Read More

Detects the creation of files that indicator an interactive use of PowerShell in the SYSTEM user context

Read More

Detects suspicious PowerShell download command

Read More

Detects suspicious PowerShell download patterns that are often used in malicious scripts, stagers or downloaders (make sure that your backend applies the strings case-insensitive)

Read More

Detects suspicious ways to run Invoke-Execution using IEX alias

Read More

Detects the creation of a schtask that executes a file from C:\Users<USER>\AppData\Local

Read More

Detects remote thread injection events based on action seen used by bumblebee

Read More

Detects a PowerShell process that initiates network connections. Check for suspicious target ports and target systems.

Read More

Detects calls to cmdlets that are used to export certificates from the local certificate store. Threat actors were seen abusing this to steal private keys from compromised machines.

Read More

This rule detect common flag combinations used by CrackMapExec in order to detect its use even if the binary has been replaced.

Read More

Detects command line patterns used by BlackByte ransomware in different operations

Read More

Detects potential DLL files being downloaded using the PowerShell Invoke-WebRequest cmdlet

Read More

Detects potentially suspicious child processes spawned by PowerShell

Read More

Detects possible execution via LNK file accessed on a WebDAV server.

Read More

Detects use of WinAPI functions in PowerShell scripts

Read More

Detects the creation of a schtask that potentially executes a base64 encoded payload stored in the Windows Registry using PowerShell.

Read More

Detects the creation of a schtasks that potentially executes a payload stored in the Windows Registry using PowerShell.

Read More

Detects the exploitation of Zoho ManageEngine Desktop Central Java Deserialization vulnerability reported as CVE-2020-10189

Read More

Detects tools and process executions used by Greenbug in their May 2020 campaign as reported by Symantec

Read More

Detects suspicious command line patterns seen being used by MERCURY APT

Read More

Detects activity mentioned in Operation Wocao report

Read More

Detects activity mentioned in Operation Wocao report

Read More

Detects all Emotet like process executions that are not covered by the more generic rules

Read More

Detects Rorschach ransomware execution activity

Read More

Detects new commands that add new printer port which point to suspicious file

Read More

Detects TropicTrooper activity, an actor who targeted high-profile organizations in the energy and food and beverage sectors in Asia

Read More

Detects commands used by Turla group as reported by ESET in May 2020

Read More

Detects a specific PowerShell command line pattern used by the UNC2452 actors as mentioned in Microsoft and Symantec reports

Read More

Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe

Read More

Detects Commandlet names from well-known PowerShell exploitation frameworks

Read More

Detects remote PowerShell sessions

Read More

Detects the use of various web request commands with commandline tools and Windows PowerShell cmdlets (including aliases) via CommandLine

Read More

Detects the execution of powershell.exe with base64 Option. Part of the RedCanary 2023 Threat Detection Report.

Read More

Detects the execution of powershell.exe with command lines that include variations of the -encodedcommand argument. Part of the RedCanary 2023 Threat Detection Report.

Read More

Detects powershell command line strings with high numbers of suspicious characters, potentially for obfuscation. Part of the RedCanary 2023 Threat Detection Report.

Read More

Detects the execution of powershell.exe with suspicious cmdlets or options. Part of the RedCanary 2023 Threat Detection Report.

Read More

Detects Obfuscated use of Clip.exe to execute PowerShell

Read More

Detects Obfuscated Powershell via COMPRESS OBFUSCATION

Read More

Detects Obfuscated Powershell via RUNDLL LAUNCHER

Read More

Detects Obfuscated use of stdin to execute PowerShell

Read More

Detects Obfuscated use of Environment Variables to execute PowerShell

Read More

Detects Obfuscated Powershell via VAR++ LAUNCHER

Read More

Detects Obfuscated Powershell via Stdin in Scripts

Read More

Detects Obfuscated Powershell via use Clip.exe in Scripts

Read More

Detects Obfuscated Powershell via use MSHTA in Scripts

Read More

Detects Obfuscated Powershell via use Rundll32 in Scripts

Read More

Detects Commandlet names from well-known PowerShell exploitation frameworks

Read More

Detects Commandlet names from well-known PowerShell exploitation frameworks

Read More

Detects the creation of known offensive powershell scripts used for exploitation

Read More

Detects Commandlet names from PowerView of PowerSploit exploitation framework.

Read More

Detects a suspicious child process of a Microsoft HTML Help (HH.exe)

Read More

Detects a suspicious execution of a Microsoft HTML Help (HH.exe)

Read More

Detects base64 encoded .NET reflective loading of Assembly

Read More

Detects Silence EmpireDNSAgent as described in the Group-IP report

Read More

Detects suspicious base64 encoded and obfuscated "LOAD" keyword used in .NET "reflection.assembly"

Read More

Detects the creation of a schtask via PowerSploit or Empire Default Configuration.

Read More

Detects Windows command lines that miss a space before or after the /c flag when running a command using the cmd.exe. This could be a sign of obfuscation of a fat finger problem (typo by the developer).

Read More

Detects a suspicious command line execution that includes an URL and AppData string in the command line parameters as used by several droppers (js/vbs > powershell)

Read More

Detects the execution of the "net use" command to mount a WebDAV server and then immediately execute some content in it. As seen being used in malicious LNK files

Read More

This rule detects execution of a PowerShell code through the sqlps.exe utility, which is included in the standard set of utilities supplied with the MSSQL Server. Script blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs.

Read More

Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block

Read More

Detects remote PowerShell sections by monitoring for wsmprovhost (WinRM host process) as a parent or child process (sign of an active PowerShell remote session).

Read More

This rule detects execution of a PowerShell code through the sqltoolsps.exe utility, which is included in the standard set of utilities supplied with the Microsoft SQL Server Management studio. Script blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs.

Read More

Detects suspicious command lines used in Covenant luanchers

Read More

Detects suspicious powershell command line parameters used in Empire

Read More

Detects events that appear when a user click on a link file with a powershell command in it

Read More

Detects suspicious encoded character syntax often used for defense evasion

Read More

Detects the execution of powershell, a WebClient object creation and the invocation of DownloadFile in a single command line

Read More

Detects suspicious powershell invocations from interpreters or unusual programs

Read More

Detects execution of PowerShell via creation of named pipe starting with PSHost

Read More

Detects basic PowerShell Remoting (WinRM) by monitoring for network inbound connections to ports 5985 OR 5986

Read More

Detects usage of the "FromBase64String" function in the commandline which is used to decode a base64 encoded string

Read More

Detects PowerShell calling a credential prompt

Read More

Detects the use of PSAttack PowerShell hack tool

Read More

Detects Base64 encoded Shellcode

Read More

Detects suspicious PowerShell invocation command parameters

Read More

Detects suspicious PowerShell invocation with a parameter substring

Read More

Detects the creation of a schtask that executes a base64 encoded payload stored in the Windows Registry using PowerShell.

Read More

Dnscat exfiltration tool execution

Read More