Sigma rules for Cellebrite
500 rules · scoped to actor · back to Cellebrite
Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.
title: Elevated System Shell Spawned From Uncommon Parent Location
id: 178e615d-e666-498b-9630-9ed363038101
related:
- id: 61065c72-5d7d-44ef-bf41-6a36684b545f
type: similar
status: test
description: Detects when a shell program such as the Windows command prompt or PowerShell is launched with system privileges from a uncommon parent location.
references:
- https://github.com/Wh04m1001/SysmonEoP
author: frack113, Tim Shelton (update fp)
date: 2022-12-05
modified: 2025-03-06
tags:
- attack.privilege-escalation
- attack.execution
- attack.t1059
logsource:
product: windows
category: process_creation
detection:
selection_shell:
- Image|endswith:
- '\powershell.exe'
- '\powershell_ise.exe'
- '\pwsh.exe'
- '\cmd.exe'
- OriginalFileName:
- 'PowerShell.EXE'
- 'powershell_ise.EXE'
- 'pwsh.dll'
- 'Cmd.Exe'
selection_user:
User|contains: # covers many language settings
- 'AUTHORI'
- 'AUTORI'
LogonId: '0x3e7'
filter_main_generic:
# Example 1:
# C:\Program Files\erl-23.2\erts-11.1.4\bin\erl.exe" -service_event ErlSrv_RabbitMQ -nohup -sname rabbit@localhost -s rabbit boot -boot start_sasl +W w +MBas ageffcbf +MHas ageffcbf +MBlmbcs 512 +MHlmbcs 512 +MMmcs 30 +P 1048576 +t 5000000 +stbt db +zdbbl 128000 +sbwt none +sbwtdcpu none +sbwtdio none -kernel inet_dist_listen_min 25672 -kernel inet_dist_listen_max 25672 -lager crash_log false -lager handlers []
# Example 2:
# ParentImage: C:\Program Files (x86)\Varonis\DatAdvantage\GridCollector\VrnsRealTimeAlertsSvc.exe" /appid 000000ad-cb03-500b-9459-c46d000000ad
# CommandLine: C:\Windows\system32\cmd.exe /c C:\Program Files "(x86)\Varonis\DatAdvantage\GridCollector\handle_scopes.cmd C:\Collector" Working Share\VaronisWorkDirectoryCollector
ParentImage|contains:
- ':\Program Files (x86)\'
- ':\Program Files\'
- ':\ProgramData\'
- ':\Windows\System32\'
- ':\Windows\SysWOW64\'
- ':\Windows\Temp\' # Installers
- ':\Windows\WinSxS\'
filter_optional_manageengine:
# Example:
# ParentImage: C:/ManageEngine/ADManager Plus/pgsql/bin/postgres.exe" --forkarch 5380
# CommandLine: C:\Windows\system32\cmd.exe /c "IF EXIST archive.bat (archive.bat pg_wal\000000010000008E000000EA 000000010000008E000000EA)
ParentImage|endswith: ':\ManageEngine\ADManager Plus\pgsql\bin\postgres.exe'
Image|endswith: '\cmd.exe'
filter_optional_asgard:
CommandLine|contains: ':\WINDOWS\system32\cmd.exe /c "'
CurrentDirectory|contains: ':\WINDOWS\Temp\asgard2-agent\'
filter_optional_ibm_spectrumprotect:
ParentImage|contains: ':\IBM\SpectrumProtect\webserver\scripts\'
CommandLine|contains: ':\IBM\SpectrumProtect\webserver\scripts\'
filter_main_parent_null:
ParentImage: null
filter_main_parent_empty:
ParentImage:
- ''
- '-'
condition: all of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Some legitimate applications may spawn shells from uncommon parent locations. Apply additional filters and perform an initial baseline before deploying.
level: medium
title: Potential Dosfuscation Activity
id: a77c1610-fc73-4019-8e29-0f51efc04a51
status: test
description: Detects possible payload obfuscation via the commandline
references:
- https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/dosfuscation-report.pdf
- https://github.com/danielbohannon/Invoke-DOSfuscation
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2022-02-15
modified: 2023-03-06
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains:
- '^^'
- '^|^'
- ',;,'
- ';;;;'
- ';; ;;'
- '(,(,'
- '%COMSPEC:~'
- ' c^m^d'
- '^c^m^d'
- ' c^md'
- ' cm^d'
- '^cm^d'
- ' s^et '
- ' s^e^t '
- ' se^t '
# - '%%'
# - '&&'
# - '""'
condition: selection
falsepositives:
- Unknown
level: medium
title: Wscript Shell Run In CommandLine
id: 2c28c248-7f50-417a-9186-a85b223010ee
status: test
description: Detects the presence of the keywords "Wscript", "Shell" and "Run" in the command, which could indicate a suspicious activity
references:
- https://web.archive.org/web/20220830122045/http://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html
- https://blog.talosintelligence.com/modernloader-delivers-multiple-stealers-cryptominers-and-rats/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-31
modified: 2023-05-15
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- 'Wscript.'
- '.Shell'
- '.Run'
condition: selection
falsepositives:
- Inline scripting can be used by some rare third party applications or administrators. Investigate and apply additional filters accordingly
level: medium
title: Forfiles Command Execution
id: 9aa5106d-bce3-4b13-86df-3a20f1d5cf0b
related:
- id: a85cf4e3-56ee-4e79-adeb-789f8fb209a8
type: obsolete
- id: fa47597e-90e9-41cd-ab72-c3b74cfb0d02
type: obsolete
status: test
description: |
Detects the execution of "forfiles" with the "/c" flag.
While this is an expected behavior of the tool, it can be abused in order to proxy execution through it with any binary.
Can be used to bypass application whitelisting.
references:
- https://lolbas-project.github.io/lolbas/Binaries/Forfiles/
- https://pentestlab.blog/2020/07/06/indirect-command-execution/
author: Tim Rauch, Elastic, E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community
date: 2022-06-14
modified: 2024-03-05
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\forfiles.exe'
- OriginalFileName: 'forfiles.exe'
selection_cli:
CommandLine|contains|windash: ' -c '
condition: all of selection_*
falsepositives:
- Legitimate use via a batch script or by an administrator.
level: medium
title: Conhost Spawned By Uncommon Parent Process
id: cbb9e3d1-2386-4e59-912e-62f1484f7a89
status: test
description: Detects when the Console Window Host (conhost.exe) process is spawned by an uncommon parent process, which could be indicative of potential code injection activity.
references:
- https://www.elastic.co/guide/en/security/current/conhost-spawned-by-suspicious-parent-process.html
author: Tim Rauch, Elastic (idea)
date: 2022-09-28
modified: 2025-03-06
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\conhost.exe'
ParentImage|endswith:
- '\explorer.exe'
# - '\csrss.exe' # Legitimate parent as seen in EchoTrail https://www.echotrail.io/insights/search/csrss.exe
# - '\ctfmon.exe' # Seen several times in a testing environment
# - '\dllhost.exe' # FP on clean system from grandparent 'svchost.exe -k DcomLaunch -p'
- '\lsass.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- '\services.exe'
- '\smss.exe'
- '\spoolsv.exe'
- '\svchost.exe'
- '\userinit.exe'
# - '\wermgr.exe' # Legitimate parent as seen in EchoTrail https://www.echotrail.io/insights/search/wermgr.exe
- '\wininit.exe'
- '\winlogon.exe'
filter_main_svchost:
ParentCommandLine|contains:
- '-k apphost -s AppHostSvc'
- '-k imgsvc'
- '-k localService -p -s RemoteRegistry'
- '-k LocalSystemNetworkRestricted -p -s NgcSvc'
- '-k NetSvcs -p -s NcaSvc'
- '-k netsvcs -p -s NetSetupSvc'
- '-k netsvcs -p -s wlidsvc'
- '-k NetworkService -p -s DoSvc'
- '-k wsappx -p -s AppXSvc'
- '-k wsappx -p -s ClipSVC'
- '-k wusvcs -p -s WaaSMedicSvc'
filter_optional_dropbox:
ParentCommandLine|contains:
- 'C:\Program Files (x86)\Dropbox\Client\'
- 'C:\Program Files\Dropbox\Client\'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Unknown
level: medium
title: Add Potential Suspicious New Download Source To Winget
id: c15a46a0-07d4-4c87-b4b6-89207835a83b
related:
- id: 05ebafc8-7aa2-4bcd-a269-2aec93f9e842
type: similar
- id: 81a0ecb5-0a41-4ba1-b2ba-c944eb92bfa2
type: similar
status: test
description: Detects usage of winget to add new potentially suspicious download sources
references:
- https://learn.microsoft.com/en-us/windows/package-manager/winget/source
- https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-04-17
modified: 2023-12-04
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\winget.exe'
- OriginalFileName: 'winget.exe'
selection_cli:
CommandLine|contains|all:
- 'source '
- 'add '
selection_source_direct_ip:
# This is a best effort. A better way to handle this is to limit it via whitelist. Check Group Policy for more details
CommandLine|re: '://\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
title: Potential Persistence Via VMwareToolBoxCmd.EXE VM State Change Script
id: 7aa4e81a-a65c-4e10-9f81-b200eb229d7d
related:
- id: 236d8e89-ed95-4789-a982-36f4643738ba
type: derived
status: test
description: Detects execution of the "VMwareToolBoxCmd.exe" with the "script" and "set" flag to setup a specific script to run for a specific VM state
references:
- https://bohops.com/2021/10/08/analyzing-and-detecting-a-vmtools-persistence-technique/
- https://www.hexacorn.com/blog/2017/01/14/beyond-good-ol-run-key-part-53/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-06-14
tags:
- attack.execution
- attack.persistence
- attack.t1059
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\VMwareToolBoxCmd.exe'
- OriginalFileName: 'toolbox-cmd.exe'
selection_cli:
CommandLine|contains|all:
- ' script '
- ' set '
condition: all of selection_*
falsepositives:
- Unknown
level: medium
title: Use of OpenConsole
id: 814c95cc-8192-4378-a70a-f1aafd877af1
status: test
description: Detects usage of OpenConsole binary as a LOLBIN to launch other binaries to bypass application Whitelisting
references:
- https://twitter.com/nas_bench/status/1537563834478645252
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-16
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: windows
detection:
selection:
- OriginalFileName: 'OpenConsole.exe'
- Image|endswith: '\OpenConsole.exe'
filter:
Image|startswith: 'C:\Program Files\WindowsApps\Microsoft.WindowsTerminal' # We exclude the default path for WindowsTerminal
condition: selection and not filter
falsepositives:
- Legitimate use by an administrator
level: medium
title: Potentially Suspicious NTFS Symlink Behavior Modification
id: c0b2768a-dd06-4671-8339-b16ca8d1f27f
status: test
description: |
Detects the modification of NTFS symbolic link behavior using fsutil, which could be used to enable remote to local or remote to remote symlinks for potential attacks.
references:
- https://www.cybereason.com/blog/cybereason-vs.-blackcat-ransomware
- https://learn.microsoft.com/fr-fr/windows-server/administration/windows-commands/fsutil-behavior
- https://thedfirreport.com/2025/06/30/hide-your-rdp-password-spray-leads-to-ransomhub-deployment/
author: frack113, The DFIR Report
date: 2022-03-02
modified: 2025-11-13
tags:
- attack.execution
- attack.defense-impairment
- attack.t1059
- attack.t1222.001
logsource:
category: process_creation
product: windows
detection:
selection_img_proxy:
# Note: Example command observed: cmd.exe /c "fsutil behaviour set SymlinkEvaluation"
- Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
- '\pwsh.exe'
- OriginalFileName:
- 'Cmd.Exe'
- 'PowerShell.EXE'
- 'pwsh.dll'
selection_fsutil_cli:
CommandLine|contains|all:
- 'fsutil'
- 'behavior'
- 'set'
- 'SymlinkEvaluation'
selection_symlink_params:
CommandLine|contains:
- 'R2L:1' # Remote to Local
- 'R2R:1' # Remote to Remote
- 'L2L:1' # Local to Local
condition: all of selection_*
falsepositives:
- Legitimate usage, investigate the parent process and context to determine if benign.
level: medium
title: Python Inline Command Execution
id: 899133d5-4d7c-4a7f-94ee-27355c879d90
status: test
description: Detects execution of python using the "-c" flag. This is could be used as a way to launch a reverse shell or execute live python code.
references:
- https://docs.python.org/3/using/cmdline.html#cmdoption-c
- https://www.revshells.com/
- https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-02
modified: 2025-10-07
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: windows
detection:
selection_img:
- OriginalFileName: 'python.exe'
- Image|endswith:
- 'python.exe' # no \ bc of e.g. ipython.exe
- 'python3.exe'
- 'python2.exe'
selection_cli:
CommandLine|contains: ' -c'
filter_main_python_1: # Based on baseline
ParentImage|startswith:
- 'C:\Program Files\Python'
- 'C:\Program Files (x86)\Python'
ParentImage|endswith: '\python.exe'
ParentCommandLine|contains: '-E -s -m ensurepip -U --default-pip'
filter_main_python_trace: # Based on baseline
ParentImage|startswith:
- 'C:\Program Files\Python'
- 'C:\Program Files (x86)\Python'
CommandLine|contains|all:
# CommandLine: \"C:\\Program Files\\Python312\\python.exe\" -W ignore::DeprecationWarning -c \"\nimport runpy\nimport sys\nsys.path = ['C:\\\\Users\\\\User\\\\AppData\\\\Local\\\\Temp\\\\tmpdakwn6aj\\\\pip-23.2.1-py3-none-any.whl'] + sys.path\nsys.argv[1:] = ['install', '--no-cache-dir', '--no-index', '--find-links', 'C:\\\\Users\\\\User\\\\AppData\\\\Local\\\\Temp\\\\tmpdakwn6aj', '--upgrade', 'pip']\nrunpy.run_module(\\\"pip\\\", run_name=\\\"__main__\\\", alter_sys=True)\n\
- '-W ignore::DeprecationWarning'
- "['install', '--no-cache-dir', '--no-index', '--find-links',"
- "'--upgrade', 'pip'"
filter_optional_vscode:
- ParentImage|endswith: '\AppData\Local\Programs\Microsoft VS Code\Code.exe'
- ParentImage:
- 'C:\Program Files\Microsoft VS Code\Code.exe'
- 'C:\Program Files (x86)\Microsoft VS Code\Code.exe'
filter_optional_pip:
CommandLine|contains|all:
- '<pip-setuptools-caller>'
- 'exec(compile('
condition: all of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Python libraries that use a flag starting with "-c". Filter according to your environment
level: medium
title: Ruby Inline Command Execution
id: 20a5ffa1-3848-4584-b6f8-c7c7fd9f69c8
status: test
description: Detects execution of ruby using the "-e" flag. This is could be used as a way to launch a reverse shell or execute live ruby code.
references:
- https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
- https://www.revshells.com/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-02
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\ruby.exe'
- OriginalFileName: 'ruby.exe'
selection_cli:
CommandLine|contains: ' -e'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
title: Php Inline Command Execution
id: d81871ef-5738-47ab-9797-7a9c90cd4bfb
status: test
description: Detects execution of php using the "-r" flag. This is could be used as a way to launch a reverse shell or execute live php code.
references:
- https://www.php.net/manual/en/features.commandline.php
- https://www.revshells.com/
- https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-02
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\php.exe'
- OriginalFileName: 'php.exe'
selection_cli:
CommandLine|contains: ' -r'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
title: Suspicious Runscripthelper.exe
id: eca49c87-8a75-4f13-9c73-a5a29e845f03
status: test
description: Detects execution of powershell scripts via Runscripthelper.exe
references:
- https://lolbas-project.github.io/lolbas/Binaries/Runscripthelper/
author: Victor Sergeev, oscd.community
date: 2020-10-09
modified: 2022-07-11
tags:
- attack.execution
- attack.stealth
- attack.t1059
- attack.t1202
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\Runscripthelper.exe'
CommandLine|contains: 'surfacecheck'
condition: selection
falsepositives:
- Unknown
level: medium
title: Writing Of Malicious Files To The Fonts Folder
id: ae9b0bd7-8888-4606-b444-0ed7410cb728
status: test
description: Monitors for the hiding possible malicious files in the C:\Windows\Fonts\ location. This folder doesn't require admin privillege to be written and executed from.
references:
- https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/
author: Sreeman
date: 2020-04-21
modified: 2022-03-08
tags:
- attack.stealth
- attack.t1211
- attack.t1059
- attack.persistence
- attack.execution
logsource:
product: windows
category: process_creation
detection:
selection_1:
CommandLine|contains:
- 'echo'
- 'copy'
- 'type'
- 'file createnew'
- 'cacls'
selection_2:
CommandLine|contains: 'C:\Windows\Fonts\'
selection_3:
CommandLine|contains:
- '.sh'
- '.exe'
- '.dll'
- '.bin'
- '.bat'
- '.cmd'
- '.js'
- '.msh'
- '.reg'
- '.scr'
- '.ps'
- '.vb'
- '.jar'
- '.pl'
- '.inf'
- '.cpl'
- '.hta'
- '.msi'
- '.vbs'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
title: Use of Pcalua For Execution
id: 0955e4e1-c281-4fb9-9ee1-5ee7b4b754d2
related:
- id: fa47597e-90e9-41cd-ab72-c3b74cfb0d02
type: obsolete
status: test
description: Detects execition of commands and binaries from the context of The program compatibility assistant (Pcalua.exe). This can be used as a LOLBIN in order to bypass application whitelisting.
references:
- https://lolbas-project.github.io/lolbas/Binaries/Pcalua/
- https://pentestlab.blog/2020/07/06/indirect-command-execution/
author: Nasreddine Bencherchali (Nextron Systems), E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community
date: 2022-06-14
modified: 2023-01-04
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith: '\pcalua.exe'
CommandLine|contains: ' -a' # No space after the flag because it accepts anything as long as there a "-a"
condition: selection
falsepositives:
- Legitimate use by a via a batch script or by an administrator.
level: medium
title: Add New Download Source To Winget
id: 05ebafc8-7aa2-4bcd-a269-2aec93f9e842
related:
- id: 81a0ecb5-0a41-4ba1-b2ba-c944eb92bfa2
type: similar
- id: c15a46a0-07d4-4c87-b4b6-89207835a83b
type: similar
status: test
description: Detects usage of winget to add new additional download sources
references:
- https://learn.microsoft.com/en-us/windows/package-manager/winget/source
- https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-04-17
tags:
- attack.execution
- attack.t1059
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\winget.exe'
- OriginalFileName: 'winget.exe'
selection_cli:
CommandLine|contains|all:
- 'source '
- 'add '
condition: all of selection_*
falsepositives:
- False positive are expected with legitimate sources
level: medium
title: Potential Arbitrary Command Execution Via FTP.EXE
id: 06b401f4-107c-4ff9-947f-9ec1e7649f1e
status: test
description: Detects execution of "ftp.exe" script with the "-s" or "/s" flag and any child processes ran by "ftp.exe".
references:
- https://lolbas-project.github.io/lolbas/Binaries/Ftp/
author: Victor Sergeev, oscd.community
date: 2020-10-09
modified: 2024-04-23
tags:
- attack.execution
- attack.stealth
- attack.t1059
- attack.t1202
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|endswith: '\ftp.exe'
selection_child_img:
- Image|endswith: '\ftp.exe'
- OriginalFileName: 'ftp.exe'
selection_child_cli:
CommandLine|contains|windash: '-s:'
condition: selection_parent or all of selection_child_*
falsepositives:
- Unknown
level: medium
title: Clfs.SYS Loaded By Process Located In a Potential Suspicious Location
id: fb4e2211-6d08-426b-8e6f-0d4a161e3b1d
status: experimental
description: Detects Clfs.sys being loaded by a process running from a potentially suspicious location. Clfs.sys is loaded as part of many CVEs exploits that targets Common Log File.
references:
- https://ssd-disclosure.com/ssd-advisory-common-log-file-system-clfs-driver-pe/
- https://x.com/Threatlabz/status/1879956781360976155
author: X__Junior
date: 2025-01-20
tags:
- attack.execution
- attack.t1059
logsource:
category: image_load
product: windows
detection:
selection_dll:
ImageLoaded|endswith: '\clfs.sys'
selection_folders_1:
Image|contains:
- ':\Perflogs\'
- ':\Users\Public\'
- '\Temporary Internet'
- '\Windows\Temp\'
selection_folders_2:
- Image|contains|all:
- ':\Users\'
- '\Favorites\'
- Image|contains|all:
- ':\Users\'
- '\Favourites\'
- Image|contains|all:
- ':\Users\'
- '\Contacts\'
- Image|contains|all:
- ':\Users\'
- '\Pictures\'
condition: selection_dll and 1 of selection_folders_*
falsepositives:
- Unknown
level: medium
title: Suspicious Non PowerShell WSMAN COM Provider
id: df9a0e0e-fedb-4d6c-8668-d765dfc92aa7
status: test
description: Detects suspicious use of the WSMAN provider without PowerShell.exe as the host application.
references:
- https://twitter.com/chadtilbury/status/1275851297770610688
- https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/
- https://github.com/bohops/WSMan-WinRM
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020-06-24
modified: 2025-10-22
tags:
- attack.execution
- attack.t1059.001
- attack.lateral-movement
- attack.t1021.003
logsource:
product: windows
service: powershell-classic
detection:
selection:
Data|contains: 'ProviderName=WSMan'
filter_main_ps:
Data|contains:
- 'HostApplication=powershell'
- 'HostApplication=C:\Windows\System32\WindowsPowerShell\v1.0\powershell'
- 'HostApplication=C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell'
# In some cases powershell was invoked with inverted slashes
- 'HostApplication=C:/Windows/System32/WindowsPowerShell/v1.0/powershell'
- 'HostApplication=C:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell'
filter_main_host_application_null:
# Note: Since we're using the raw data field to match. There is no easy way to filter out cases where the "HostApplication" field is null (i.e doesn't exist). We're practically forced to use a regex.
# If you're already mapping and extracting the field, then obviously use that directly.
Data|re: 'HostId=[a-zA-Z0-9-]{36}\s+EngineVersion='
filter_optional_hexnode:
Data|contains: 'HostApplication=C:\Hexnode\Hexnode Agent\Current\HexnodeAgent.exe'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Unknown
level: medium
title: Netcat The Powershell Version
id: c5b20776-639a-49bf-94c7-84f912b91c15
related:
- id: bf7286e7-c0be-460b-a7e8-5b2e07ecc2f2
type: derived
status: test
description: Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network
references:
- https://nmap.org/ncat/
- https://github.com/besimorhino/powercat
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1095/T1095.md
author: frack113
date: 2021-07-21
modified: 2023-10-27
tags:
- attack.command-and-control
- attack.execution
- attack.t1095
- attack.t1059.001
logsource:
product: windows
category: ps_classic_start
detection:
selection:
Data|contains:
- 'powercat '
- 'powercat.ps1'
condition: selection
falsepositives:
- Unknown
level: medium
title: Nslookup PowerShell Download Cradle
id: 999bff6d-dc15-44c9-9f5c-e1051bfc86e1
related:
- id: 1b3b01c7-84e9-4072-86e5-fc285a41ff23
type: similar
status: test
description: Detects a powershell download cradle using nslookup. This cradle uses nslookup to extract payloads from DNS records.
references:
- https://twitter.com/Alh4zr3d/status/1566489367232651264
author: Sai Prashanth Pulisetti @pulisettis, Aishwarya Singam
date: 2022-12-10
modified: 2025-02-25
tags:
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: ps_classic_start
detection:
selection:
Data|contains|all:
- 'powershell'
- 'nslookup'
- '[1]'
Data|contains:
- '-q=txt http'
- '-querytype=txt http'
- '-type=txt http'
condition: selection
falsepositives:
- Unknown
level: medium
title: PowerShell Downgrade Attack - PowerShell
id: 6331d09b-4785-4c13-980f-f96661356249
status: test
description: Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0
references:
- http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/
author: Florian Roth (Nextron Systems), Lee Holmes (idea), Harish Segar (improvements)
date: 2017-03-22
modified: 2023-10-27
tags:
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: ps_classic_start
detection:
selection:
Data|contains: 'EngineVersion=2.'
filter_main:
Data|contains: 'HostVersion=2.'
condition: selection and not filter_main
falsepositives:
- Unknown
level: medium
title: Alternate PowerShell Hosts - PowerShell Module
id: 64e8e417-c19a-475a-8d19-98ea705394cc
status: test
description: Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe
references:
- https://threathunterplaybook.com/hunts/windows/190610-PwshAlternateHosts/notebook.html
author: Roberto Rodriguez @Cyb3rWard0g
date: 2019-08-11
modified: 2025-10-17
tags:
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: ps_module
definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
detection:
selection:
ContextInfo|contains: '*'
filter_powershell:
# This filter covers the following use cases
# - When powershell is called directly from commandline via keyword powershell or powershell.exe
# - Or called via path but not with full "".exe". Example: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell
ContextInfo|contains:
- '= powershell' # Host Application=...powershell.exe or Application hote=...powershell.exe in French Win10 event
- '= C:\Windows\System32\WindowsPowerShell\v1.0\powershell'
- '= C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell'
# In some cases powershell was invoked with inverted slashes
- '= C:/Windows/System32/WindowsPowerShell/v1.0/powershell'
- '= C:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell'
# In some cases \??\C:.. is used
- '= \\\?\?\C:Windows\System32\WindowsPowerShell\v1.0\powershell'
- '= \\\?\?\C:Windows\SysWOW64\WindowsPowerShell\v1.0\powershell'
filter_sdiagnhost:
ContextInfo|contains: '= C:\WINDOWS\System32\sdiagnhost.exe -Embedding' # When MSDT is launched for example
filter_citrix:
ContextInfo|contains: 'ConfigSyncRun.exe'
filter_adace: # Active Directory Administrative Center Enhancements
ContextInfo|contains: 'C:\Windows\system32\dsac.exe'
filter_winrm:
ContextInfo|contains: 'C:\Windows\system32\wsmprovhost.exe -Embedding'
filter_help_update:
Payload|contains:
- 'Update-Help'
- 'Failed to update Help for the module'
condition: selection and not 1 of filter_*
falsepositives:
- Programs using PowerShell directly without invocation of a dedicated interpreter
- MSP Detection Searcher
- Citrix ConfigSync.ps1
level: medium
title: Suspicious PowerShell Download - PoshModule
id: de41232e-12e8-49fa-86bc-c05c7e722df9
related:
- id: 65531a81-a694-4e31-ae04-f8ba5bc33759
type: derived
status: test
description: Detects suspicious PowerShell download command
references:
- https://learn.microsoft.com/en-us/dotnet/api/system.net.webclient.downloadfile?view=net-8.0
- https://learn.microsoft.com/en-us/dotnet/api/system.net.webclient.downloadstring?view=net-8.0
author: Florian Roth (Nextron Systems)
date: 2017-03-05
modified: 2023-01-20
tags:
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: ps_module
definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
detection:
selection_webclient_:
ContextInfo|contains: 'System.Net.WebClient'
selection_function:
ContextInfo|contains:
- '.DownloadFile('
- '.DownloadString('
condition: all of selection_*
falsepositives:
- PowerShell scripts that download content from the Internet
level: medium
title: Import PowerShell Modules From Suspicious Directories
id: 21f9162c-5f5d-4b01-89a8-b705bd7d10ab
related:
- id: c31364f7-8be6-4b77-8483-dd2b5a7b69a3
type: similar
status: test
description: Detects powershell scripts that import modules from suspicious directories
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-07-07
modified: 2023-01-10
tags:
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains:
- 'Import-Module "$Env:Temp\'
- Import-Module '$Env:Temp\
- 'Import-Module $Env:Temp\'
- 'Import-Module "$Env:Appdata\'
- Import-Module '$Env:Appdata\
- 'Import-Module $Env:Appdata\'
- 'Import-Module C:\Users\Public\'
# Import-Module alias is "ipmo"
- 'ipmo "$Env:Temp\'
- ipmo '$Env:Temp\
- 'ipmo $Env:Temp\'
- 'ipmo "$Env:Appdata\'
- ipmo '$Env:Appdata\
- 'ipmo $Env:Appdata\'
- 'ipmo C:\Users\Public\'
condition: selection
falsepositives:
- Unknown
level: medium
title: PowerShell Create Local User
id: 243de76f-4725-4f2e-8225-a8a69b15ad61
status: test
description: Detects creation of a local user via PowerShell
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1136.001/T1136.001.md
author: '@ROxPinTeddy'
date: 2020-04-11
modified: 2022-12-25
tags:
- attack.execution
- attack.t1059.001
- attack.persistence
- attack.t1136.001
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains: 'New-LocalUser'
condition: selection
falsepositives:
- Legitimate user creation
level: medium
title: Potential Suspicious PowerShell Keywords
id: 1f49f2ab-26bc-48b3-96cc-dcffbc93eadf
status: test
description: Detects potentially suspicious keywords that could indicate the use of a PowerShell exploitation framework
references:
- https://posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462
- https://github.com/PowerShellMafia/PowerSploit/blob/d943001a7defb5e0d1657085a77a0e78609be58f/CodeExecution/Invoke-ReflectivePEInjection.ps1
- https://github.com/hlldz/Phant0m/blob/30c2935d8cf4aafda17ee2fab7cd0c4aa9a607c2/old/Invoke-Phant0m.ps1
- https://gist.github.com/MHaggis/0dbe00ad401daa7137c81c99c268cfb7
author: Florian Roth (Nextron Systems), Perez Diego (@darkquassar), Tuan Le (NCSGroup)
date: 2019-02-11
modified: 2023-04-21
tags:
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains:
- 'System.Reflection.Assembly.Load($'
- '[System.Reflection.Assembly]::Load($'
- '[Reflection.Assembly]::Load($'
- 'System.Reflection.AssemblyName'
- 'Reflection.Emit.AssemblyBuilderAccess'
- 'Reflection.Emit.CustomAttributeBuilder'
- 'Runtime.InteropServices.UnmanagedType'
- 'Runtime.InteropServices.DllImportAttribute'
- 'SuspendThread'
- 'rundll32'
# - 'FromBase64'
# - 'Invoke-WMIMethod' # Prone to FP
# - 'http://127.0.0.1' # Prone to FP
condition: selection
falsepositives:
- Unknown
level: medium
title: Malicious PowerShell Keywords
id: f62176f3-8128-4faa-bf6c-83261322e5eb
status: test
description: Detects keywords from well-known PowerShell exploitation frameworks
references:
- https://adsecurity.org/?p=2921
author: Sean Metcalf (source), Florian Roth (Nextron Systems)
date: 2017-03-05
modified: 2023-06-20
tags:
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains:
- 'AdjustTokenPrivileges'
- 'IMAGE_NT_OPTIONAL_HDR64_MAGIC'
# - 'LSA_UNICODE_STRING'
- 'Metasploit'
- 'Microsoft.Win32.UnsafeNativeMethods'
- 'Mimikatz'
- 'MiniDumpWriteDump'
- 'PAGE_EXECUTE_READ'
- 'ReadProcessMemory.Invoke'
- 'SE_PRIVILEGE_ENABLED'
- 'SECURITY_DELEGATION'
- 'TOKEN_ADJUST_PRIVILEGES'
- 'TOKEN_ALL_ACCESS'
- 'TOKEN_ASSIGN_PRIMARY'
- 'TOKEN_DUPLICATE'
- 'TOKEN_ELEVATION'
- 'TOKEN_IMPERSONATE'
- 'TOKEN_INFORMATION_CLASS'
- 'TOKEN_PRIVILEGES'
- 'TOKEN_QUERY'
condition: selection
falsepositives:
- Depending on the scripts, this rule might require some initial tuning to fit the environment
level: medium
title: Powershell XML Execute Command
id: 6c6c6282-7671-4fe9-a0ce-a2dcebdc342b
status: test
description: |
Adversaries may abuse PowerShell commands and scripts for execution.
PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell)
Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-8---powershell-xml-requests
author: frack113
date: 2022-01-19
modified: 2023-01-19
tags:
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection_xml:
ScriptBlockText|contains|all:
- 'New-Object'
- 'System.Xml.XmlDocument'
- '.Load'
selection_exec:
ScriptBlockText|contains:
- 'IEX '
- 'Invoke-Expression '
- 'Invoke-Command '
- 'ICM -'
condition: all of selection_*
falsepositives:
- Legitimate administrative script
level: medium
title: PowerShell Remote Session Creation
id: a0edd39f-a0c6-4c17-8141-261f958e8d8f
status: test
description: |
Adversaries may abuse PowerShell commands and scripts for execution.
PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-10---powershell-invoke-downloadcradle
- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/new-pssession?view=powershell-7.4
author: frack113
date: 2022-01-06
modified: 2023-01-02
tags:
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains|all:
- 'New-PSSession'
- '-ComputerName '
condition: selection
falsepositives:
- Legitimate administrative script
level: medium
title: Change PowerShell Policies to an Insecure Level - PowerShell
id: 61d0475c-173f-4844-86f7-f3eebae1c66b
related:
- id: cf2e938e-9a3e-4fe8-a347-411642b28a9f # ProcCreation Registry
type: similar
- id: 87e3c4e8-a6a8-4ad9-bb4f-46e7ff99a180 # ProcCreation Cmdlet
type: similar
- id: fad91067-08c5-4d1a-8d8c-d96a21b37814 # Registry
type: similar
status: test
description: Detects changing the PowerShell script execution policy to a potentially insecure level using the "Set-ExecutionPolicy" cmdlet.
references:
- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.4
- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.4
- https://adsecurity.org/?p=2604
author: frack113
date: 2021-10-20
modified: 2023-12-14
tags:
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection_cmdlet:
ScriptBlockText|contains: 'Set-ExecutionPolicy'
selection_option:
ScriptBlockText|contains:
- 'Unrestricted'
- 'bypass'
filter_optional_chocolatey:
ScriptBlockText|contains:
- "(New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1')"
- "(New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1')"
condition: all of selection_* and not 1 of filter_optional_*
falsepositives:
- Administrator script
level: medium
title: Suspicious PowerShell Download - Powershell Script
id: 403c2cc0-7f6b-4925-9423-bfa573bed7eb
related:
- id: 65531a81-a694-4e31-ae04-f8ba5bc33759
type: derived
status: test
description: Detects suspicious PowerShell download command
references:
- https://learn.microsoft.com/en-us/dotnet/api/system.net.webclient.downloadstring?view=net-8.0
- https://learn.microsoft.com/en-us/dotnet/api/system.net.webclient.downloadfile?view=net-8.0
author: Florian Roth (Nextron Systems)
date: 2017-03-05
modified: 2022-12-02
tags:
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
webclient:
ScriptBlockText|contains: 'System.Net.WebClient'
download:
ScriptBlockText|contains:
- '.DownloadFile('
- '.DownloadFileAsync('
- '.DownloadString('
- '.DownloadStringAsync('
condition: webclient and download
falsepositives:
- PowerShell scripts that download content from the Internet
level: medium
title: Powershell MsXml COM Object
id: 78aa1347-1517-4454-9982-b338d6df8343
status: test
description: |
Adversaries may abuse PowerShell commands and scripts for execution.
PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell)
Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-7---powershell-msxml-com-object---with-prompt
- https://learn.microsoft.com/en-us/previous-versions/windows/desktop/ms766431(v=vs.85)
- https://www.trendmicro.com/en_id/research/22/e/uncovering-a-kingminer-botnet-attack-using-trend-micro-managed-x.html
author: frack113, MatilJ
date: 2022-01-19
modified: 2022-05-19
tags:
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains|all:
- 'New-Object'
- '-ComObject'
- 'MsXml2.'
- 'XmlHttp'
condition: selection
falsepositives:
- Legitimate administrative script
level: medium
title: Usage Of Web Request Commands And Cmdlets - ScriptBlock
id: 1139d2e2-84b1-4226-b445-354492eba8ba
related:
- id: 9fc51a3c-81b3-4fa7-b35f-7c02cf10fd2d
type: derived
status: test
description: Detects the use of various web request commands with commandline tools and Windows PowerShell cmdlets (including aliases) via PowerShell scriptblock logs
references:
- https://4sysops.com/archives/use-powershell-to-download-a-file-with-http-https-and-ftp/
- https://blog.jourdant.me/post/3-ways-to-download-files-with-powershell
author: James Pemberton / @4A616D6573
date: 2019-10-24
modified: 2025-10-20
tags:
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains:
- '[System.Net.WebRequest]::create'
- 'curl '
- 'Invoke-RestMethod'
- 'Invoke-WebRequest'
- ' irm ' # Space before and after to avoid false positives with 'irm' as a substring
- 'iwr '
# - 'Net.WebClient' # There are various other rules that cover this, so it is commented out
- 'Resume-BitsTransfer'
- 'Start-BitsTransfer'
- 'wget '
- 'WinHttp.WinHttpRequest'
filter:
Path|startswith: 'C:\Packages\Plugins\Microsoft.GuestConfiguration.ConfigurationforWindows\'
condition: selection and not filter
falsepositives:
- Use of Get-Command and Get-Help modules to reference Invoke-WebRequest and Start-BitsTransfer.
level: medium
title: Alternate PowerShell Hosts Pipe
id: 58cb02d5-78ce-4692-b3e1-dce850aae41a
related:
- id: ac7102b4-9e1e-4802-9b4f-17c5524c015c
type: derived
status: test
description: Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe
references:
- https://threathunterplaybook.com/hunts/windows/190610-PwshAlternateHosts/notebook.html
- https://threathunterplaybook.com/hunts/windows/190410-LocalPwshExecution/notebook.html
author: Roberto Rodriguez @Cyb3rWard0g, Tim Shelton
date: 2019-09-12
modified: 2025-10-07
tags:
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: pipe_created
definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575'
detection:
selection:
PipeName|startswith: '\PSHost'
filter_main_generic:
- Image|contains:
- ':\Program Files\PowerShell\7-preview\pwsh.exe' # Powershell 7
- ':\Program Files\PowerShell\7\pwsh.exe' # Powershell 7
- ':\Windows\system32\dsac.exe'
- ':\Windows\system32\inetsrv\w3wp.exe' # this is sad :,( but it triggers FPs on Exchange servers
- ':\Windows\System32\sdiagnhost.exe'
- ':\Windows\system32\ServerManager.exe'
- ':\Windows\system32\wbem\wmiprvse.exe'
- ':\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe'
- ':\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
- ':\Windows\System32\wsmprovhost.exe'
- ':\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe'
- ':\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe'
- Image|contains|all:
- 'C:\Program Files\WindowsApps\Microsoft.PowerShellPreview'
- '\pwsh.exe'
- Image|contains|all:
- '\AppData\Local\Microsoft\WindowsApps\Microsoft.PowerShellPreview'
- '\pwsh.exe'
filter_optional_sqlserver: # Microsoft SQL Server\130\Tools\
Image|startswith:
- 'C:\Program Files (x86)\'
- 'C:\Program Files\'
Image|contains: '\Microsoft SQL Server\'
Image|endswith: '\Tools\Binn\SQLPS.exe'
filter_optional_azure_connected_machine_agent:
# Azure Connected Machine Agent (https://devblogs.microsoft.com/powershell/azure-policy-guest-configuration-client/)
Image|startswith: 'C:\Program Files\AzureConnectedMachineAgent\GCArcService'
Image|endswith: '\GC\gc_worker.exe'
filter_optional_citrix:
Image|startswith: 'C:\Program Files\Citrix\'
filter_optional_exchange:
Image|startswith: 'C:\Program Files\Microsoft\Exchange Server\'
filter_main_null:
Image: null
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Programs using PowerShell directly without invocation of a dedicated interpreter.
level: medium
title: Remote Thread Creation Via PowerShell In Uncommon Target
id: 99b97608-3e21-4bfe-8217-2a127c396a0e
related:
- id: eeb2e3dc-c1f4-40dd-9bd5-149ee465ad50
type: similar
status: test
description: Detects the creation of a remote thread from a Powershell process in an uncommon target process
references:
- https://www.fireeye.com/blog/threat-research/2018/06/bring-your-own-land-novel-red-teaming-technique.html
author: Florian Roth (Nextron Systems)
date: 2018-06-25
modified: 2023-11-10
tags:
- attack.execution
- attack.stealth
- attack.t1218.011
- attack.t1059.001
logsource:
product: windows
category: create_remote_thread
detection:
selection:
SourceImage|endswith:
- '\powershell.exe'
- '\pwsh.exe'
TargetImage|endswith:
# Note: Please add additional potential interesting targets to increase coverage
- '\rundll32.exe'
- '\regsvr32.exe'
condition: selection
falsepositives:
- Unknown
level: medium
title: PowerShell Script Run in AppData
id: ac175779-025a-4f12-98b0-acdaeb77ea85
status: test
description: Detects a suspicious command line execution that invokes PowerShell with reference to an AppData folder
references:
- https://twitter.com/JohnLaTwC/status/1082851155481288706
- https://app.any.run/tasks/f87f1c4e-47e2-4c46-9cf4-31454c06ce03
author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community
date: 2019-01-09
modified: 2022-07-14
tags:
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection1:
CommandLine|contains:
- 'powershell.exe'
- '\powershell'
- '\pwsh'
- 'pwsh.exe'
selection2:
CommandLine|contains|all:
- '/c '
- '\AppData\'
CommandLine|contains:
- 'Local\'
- 'Roaming\'
condition: all of selection*
falsepositives:
- Administrative scripts
level: medium
title: SQL Client Tools PowerShell Session Detection
id: a746c9b8-a2fb-4ee5-a428-92bee9e99060
status: test
description: |
This rule detects execution of a PowerShell code through the sqltoolsps.exe utility, which is included in the standard set of utilities supplied with the Microsoft SQL Server Management studio.
Script blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs.
references:
- https://github.com/LOLBAS-Project/LOLBAS/blob/8283d8d91552213ded165fd36deb6cb9534cb443/yml/OtherMSBinaries/Sqltoolsps.yml
- https://twitter.com/pabraeken/status/993298228840992768
author: 'Agro (@agro_sev) oscd.communitly'
date: 2020-10-13
modified: 2022-02-25
tags:
- attack.execution
- attack.stealth
- attack.t1059.001
- attack.t1127
logsource:
category: process_creation
product: windows
detection:
selection:
- Image|endswith: '\sqltoolsps.exe'
- ParentImage|endswith: '\sqltoolsps.exe'
- OriginalFileName: '\sqltoolsps.exe'
filter:
ParentImage|endswith: '\smss.exe'
condition: selection and not filter
falsepositives:
- Direct PS command execution through SQLToolsPS.exe is uncommon, childprocess sqltoolsps.exe spawned by smss.exe is a legitimate action.
level: medium
title: PowerShell Download Pattern
id: 3b6ab547-8ec2-4991-b9d2-2b06702a48d7
related:
- id: e6c54d94-498c-4562-a37c-b469d8e9a275
type: derived
- id: 8f70ac5f-1f6f-4f8e-b454-db19561216c5
type: obsolete
status: test
description: Detects a Powershell process that contains download commands in its command line string
references:
- https://blog.redteam.pl/2020/06/black-kingdom-ransomware.html
- https://lab52.io/blog/winter-vivern-all-summer/
- https://hatching.io/blog/powershell-analysis/
author: Florian Roth (Nextron Systems), oscd.community, Jonhnathan Ribeiro
date: 2019-01-16
modified: 2025-10-20
tags:
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\powershell_ise.exe'
- '\powershell.exe'
- '\pwsh.exe'
- OriginalFileName:
- 'PowerShell_ISE.EXE'
- 'PowerShell.EXE'
- 'pwsh.dll'
selection_cli:
CommandLine|contains|all:
- 'new-object'
- 'net.webclient).'
- 'download'
CommandLine|contains:
- 'string('
- 'file('
condition: all of selection_*
falsepositives:
- Unknown
level: medium
title: Import PowerShell Modules From Suspicious Directories - ProcCreation
id: c31364f7-8be6-4b77-8483-dd2b5a7b69a3
related:
- id: 21f9162c-5f5d-4b01-89a8-b705bd7d10ab
type: similar
status: test
description: Detects powershell scripts that import modules from suspicious directories
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-10
tags:
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains:
- 'Import-Module "$Env:Temp\'
- Import-Module '$Env:Temp\
- 'Import-Module $Env:Temp\'
- 'Import-Module "$Env:Appdata\'
- Import-Module '$Env:Appdata\
- 'Import-Module $Env:Appdata\'
- 'Import-Module C:\Users\Public\'
# Import-Module alias is "ipmo"
- 'ipmo "$Env:Temp\'
- ipmo '$Env:Temp\
- 'ipmo $Env:Temp\'
- 'ipmo "$Env:Appdata\'
- ipmo '$Env:Appdata\
- 'ipmo $Env:Appdata\'
- 'ipmo C:\Users\Public\'
condition: selection
falsepositives:
- Unknown
level: medium
title: Suspicious PowerShell Invocation From Script Engines
id: 95eadcb2-92e4-4ed1-9031-92547773a6db
status: test
description: Detects suspicious powershell invocations from interpreters or unusual programs
references:
- https://www.securitynewspaper.com/2017/03/20/attackers-leverage-excel-powershell-dns-latest-non-malware-attack/
author: Florian Roth (Nextron Systems)
date: 2019-01-16
modified: 2023-01-05
tags:
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith:
- '\wscript.exe'
- '\cscript.exe'
Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
filter_health_service:
CurrentDirectory|contains: '\Health Service State\'
condition: selection and not 1 of filter_*
falsepositives:
- Microsoft Operations Manager (MOM)
- Other scripts
level: medium
title: Execute Code with Pester.bat as Parent
id: 18988e1b-9087-4f8a-82fe-0414dce49878
related:
- id: 59e938ff-0d6d-4dc3-b13f-36cc28734d4e
type: similar
status: test
description: Detects code execution via Pester.bat (Pester - Powershell Modulte for testing)
references:
- https://twitter.com/Oddvarmoe/status/993383596244258816
- https://twitter.com/_st0pp3r_/status/1560072680887525378
author: frack113, Nasreddine Bencherchali
date: 2022-08-20
tags:
- attack.execution
- attack.stealth
- attack.t1059.001
- attack.t1216
logsource:
category: process_creation
product: windows
detection:
selection_module:
ParentImage|endswith:
- '\powershell.exe'
- '\pwsh.exe'
ParentCommandLine|contains: '\WindowsPowerShell\Modules\Pester\'
selection_cli:
ParentCommandLine|contains:
- '{ Invoke-Pester -EnableExit ;'
- '{ Get-Help "'
condition: all of selection_*
falsepositives:
- Legitimate use of Pester for writing tests for Powershell scripts and modules
level: medium
title: Suspicious Execution of Powershell with Base64
id: fb843269-508c-4b76-8b8d-88679db22ce7
status: test
description: Commandline to launch powershell with a base64 payload
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-20---powershell-invoke-known-malicious-cmdlets
- https://unit42.paloaltonetworks.com/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks/
- https://mikefrobbins.com/2017/06/15/simple-obfuscation-with-powershell-using-base64-encoding/
author: frack113
date: 2022-01-02
modified: 2023-01-05
tags:
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- \powershell.exe
- \pwsh.exe
CommandLine|contains:
- ' -e '
- ' -en '
- ' -enc '
- ' -enco'
- ' -ec '
filter_encoding:
CommandLine|contains: ' -Encoding '
filter_azure:
ParentImage|contains:
- 'C:\Packages\Plugins\Microsoft.GuestConfiguration.ConfigurationforWindows\'
- '\gc_worker.exe'
condition: selection and not 1 of filter_*
falsepositives:
- Unknown
level: medium
title: Powershell Executed From Headless ConHost Process
id: 056c7317-9a09-4bd4-9067-d051312752ea
related:
- id: 00ca75ab-d5ce-43be-b86c-55ff39c6abfc
type: derived
status: test
description: |
Detects the use of powershell commands from headless ConHost window.
The "--headless" flag hides the windows from the user upon execution.
references:
- https://www.huntress.com/blog/fake-browser-updates-lead-to-boinc-volunteer-computing-software
author: Matt Anderson (Huntress)
date: 2024-07-23
tags:
- attack.execution
- attack.stealth
- attack.t1059.001
- attack.t1059.003
- attack.t1564.003
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\conhost.exe'
- OriginalFileName: 'CONHOST.EXE'
selection_cli:
CommandLine|contains|all:
- '--headless'
- 'powershell'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_conhost_headless_powershell/info.yml
title: Powershell Inline Execution From A File
id: ee218c12-627a-4d27-9e30-d6fb2fe22ed2
status: test
description: Detects inline execution of PowerShell code from a file
references:
- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=50
author: frack113
date: 2022-12-25
tags:
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: process_creation
detection:
selection_exec:
CommandLine|contains:
- 'iex '
- 'Invoke-Expression '
- 'Invoke-Command '
- 'icm '
selection_read:
CommandLine|contains:
- 'cat '
- 'get-content '
- 'type '
selection_raw:
CommandLine|contains: ' -raw'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
title: Remote PowerShell Session Host Process (WinRM)
id: 734f8d9b-42b8-41b2-bcf5-abaf49d5a3c8
status: test
description: Detects remote PowerShell sections by monitoring for wsmprovhost (WinRM host process) as a parent or child process (sign of an active PowerShell remote session).
references:
- https://threathunterplaybook.com/hunts/windows/190511-RemotePwshExecution/notebook.html
author: Roberto Rodriguez @Cyb3rWard0g
date: 2019-09-12
modified: 2022-10-09
tags:
- attack.execution
- attack.lateral-movement
- attack.t1059.001
- attack.t1021.006
logsource:
category: process_creation
product: windows
detection:
selection:
- Image|endswith: '\wsmprovhost.exe'
- ParentImage|endswith: '\wsmprovhost.exe'
condition: selection
falsepositives:
- Legitimate usage of remote Powershell, e.g. for monitoring purposes.
level: medium
title: Potential WMI Lateral Movement WmiPrvSE Spawned PowerShell
id: 692f0bec-83ba-4d04-af7e-e884a96059b6
related:
- id: 8a582fe2-0882-4b89-a82a-da6b2dc32937
type: similar
- id: d21374ff-f574-44a7-9998-4a8c8bf33d7d
type: similar
status: stable
description: Detects Powershell as a child of the WmiPrvSE process. Which could be a sign of lateral movement via WMI.
references:
- https://any.run/report/68bc255f9b0db6a0d30a8f2dadfbee3256acfe12497bf93943bc1eab0735e45e/a2385d6f-34f7-403c-90d3-b1f9d2a90a5e
author: Markus Neis @Karneades
date: 2019-04-03
modified: 2023-03-29
tags:
- attack.execution
- attack.t1047
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|endswith: '\WmiPrvSE.exe'
selection_img:
- Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
- OriginalFileName:
- 'PowerShell.EXE'
- 'pwsh.dll'
condition: all of selection_*
falsepositives:
- AppvClient
- CCM
- WinRM
level: medium
title: PowerShell MSI Install via WindowsInstaller COM From Remote Location
id: 222720a7-047f-4054-baa5-bab9be757db0
status: experimental
description: |
Detects the execution of PowerShell commands that attempt to install MSI packages via the
Windows Installer COM object (`WindowsInstaller.Installer`) hosted remotely.
This could be indication of malicious software deployment or lateral movement attempts using Windows Installer functionality.
And the usage of WindowsInstaller COM object rather than msiexec could be an attempt to bypass the detection.
references:
- https://informationsecuritybuzz.com/the-real-danger-behind-a-simple-windows-shortcut/
- https://redcanary.com/blog/threat-intelligence/intelligence-insights-may-2025/
- https://www.virustotal.com/gui/file/f9710b0ba4de5fa0e7ec27da462d4d2fc6838eba83a19f23f6617a466bbad457
author: Meroujan Antonyan (vx3r)
date: 2025-06-05
tags:
- attack.execution
- attack.stealth
- attack.t1059.001
- attack.t1218
- attack.command-and-control
- attack.t1105
logsource:
category: process_creation
product: windows
detection:
# Example: "C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -W Hidden -C "$u='https://example.com/';$i=New-Object -ComObject('WindowsInstaller.Installer');$i.UILevel=2;$i.InstallProduct($u),'')";
selection_img:
- Image|endswith:
- '\powershell_ise.exe'
- '\powershell.exe'
- '\pwsh.exe'
- OriginalFileName:
- 'PowerShell_ISE.EXE'
- 'PowerShell.EXE'
- 'pwsh.dll'
selection_cli:
CommandLine|contains|all:
- '-ComObject'
- 'InstallProduct('
selection_remote:
CommandLine|contains:
- 'http'
- '\\\\'
filter_main_localhost:
CommandLine|contains:
- '://127.0.0.1'
- '://localhost'
condition: all of selection_* and not 1 of filter_main_*
falsepositives:
- Unknown
level: medium
title: Hidden Powershell in Link File Pattern
id: 30e92f50-bb5a-4884-98b5-d20aa80f3d7a
status: test
description: Detects events that appear when a user click on a link file with a powershell command in it
references:
- https://www.x86matthew.com/view_post?id=embed_exe_lnk
author: frack113
date: 2022-02-06
tags:
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage: C:\Windows\explorer.exe
Image: C:\Windows\System32\cmd.exe
CommandLine|contains|all:
- 'powershell'
- '.lnk'
condition: selection
falsepositives:
- Legitimate commands in .lnk files
level: medium
title: Detection of PowerShell Execution via Sqlps.exe
id: 0152550d-3a26-4efd-9f0e-54a0b28ae2f3
status: test
description: |
This rule detects execution of a PowerShell code through the sqlps.exe utility, which is included in the standard set of utilities supplied with the MSSQL Server.
Script blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs.
references:
- https://learn.microsoft.com/en-us/sql/tools/sqlps-utility?view=sql-server-ver15
- https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqlps/
- https://twitter.com/bryon_/status/975835709587075072
author: 'Agro (@agro_sev) oscd.community'
date: 2020-10-10
modified: 2022-12-09
tags:
- attack.execution
- attack.stealth
- attack.t1059.001
- attack.t1127
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|endswith: '\sqlps.exe'
selection_image:
- Image|endswith: '\sqlps.exe'
- OriginalFileName: 'sqlps.exe'
filter_image:
ParentImage|endswith: '\sqlagent.exe'
condition: selection_parent or (selection_image and not filter_image)
falsepositives:
- Direct PS command execution through SQLPS.exe is uncommon, childprocess sqlps.exe spawned by sqlagent.exe is a legitimate action.
level: medium