Command and Scripting Interpreter T1059
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell.
Events covered
68 catalog events are tagged with this technique by at least one rule.
Authoring guide
Patterns shared across the 732 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.
Fields filtered most (148 distinct)
The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.
Top indicator values (5372 distinct)
Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.
Exclusions (719 distinct)
Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.
Rules under this technique
Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.
Sigma 370 rules
- Abusable DLL Potential Sideloading From Suspicious Location
- Add Insecure Download Source To Winget
- Add New Download Source To Winget
- Add Potential Suspicious New Download Source To Winget
- Adwind RAT / JRAT
- Adwind RAT / JRAT File Artifact
- Alternate PowerShell Hosts - PowerShell Module
- Alternate PowerShell Hosts Pipe
- AppLocker Prevented Application or Script from Running
- Atlassian Confluence CVE-2022-26134
- Atomic MacOS Stealer - FileGrabber Activity
- Axios NPM Compromise Indicators - Linux
- Axios NPM Compromise Indicators - macOS
- Axios NPM Compromise Indicators - Windows
- Bad Opsec Powershell Code Artifacts
- Base64 Encoded PowerShell Command Detected
- BloodHound Collection Files
- bXOR Operator Usage In PowerShell Command Line - PowerShell Classic
- Certificate Exported Via PowerShell
- Change PowerShell Policies to an Insecure Level
- Change PowerShell Policies to an Insecure Level - PowerShell
- ChromeLoader Malware Execution
- Clfs.SYS Loaded By Process Located In a Potential Suspicious Location
- Cmd.EXE Missing Space Characters Execution Anomaly
- Command Line Execution with Suspicious URL and AppData Strings
- Conhost Spawned By Uncommon Parent Process
- Conhost.exe CommandLine Path Traversal
- ConvertTo-SecureString Cmdlet Usage Via CommandLine
- Csc.EXE Execution Form Potentially Suspicious Parent
- Cscript/Wscript Uncommon Script Extension Execution
- CVE-2022-24527 Microsoft Connected Cache LPE
- CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Linux)
- CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Windows)
- DarkGate - Autoit3.EXE Execution Parameters
- DarkGate - Autoit3.EXE File Creation By Uncommon Process
- DarkGate - Drop DarkGate Loader In C:\Temp Directory
- Detection of PowerShell Execution via Sqlps.exe
- DNS Query by Finger Utility
- DSInternals Suspicious PowerShell Cmdlets
- DSInternals Suspicious PowerShell Cmdlets - ScriptBlock
- Elevated System Shell Spawned
- Elevated System Shell Spawned From Uncommon Parent Location
- Elise Backdoor Activity
- Emotet Loader Execution Via .LNK File
- Encoded PowerShell payload deployed (PowerShell)
- Encoded PowerShell payload deployed via process execution
- Exchange PowerShell Snap-Ins Usage
- Execute Code with Pester.bat
- Execute Code with Pester.bat as Parent
- Execution of Powershell Script in Public Folder
- Exploited CVE-2020-10189 Zoho ManageEngine
- Exploiting SetupComplete.cmd CVE-2019-1378
- FakeUpdates/SocGholish Activity
- Forfiles Command Execution
- Greenbug Espionage Group Indicators
- HackTool - Bloodhound/Sharphound Execution
- HackTool - CACTUSTORCH Remote Thread Creation
- HackTool - Covenant PowerShell Launcher
- HackTool - CrackMapExec Execution
- HackTool - CrackMapExec Execution Patterns
- HackTool - CrackMapExec PowerShell Obfuscation
- HackTool - Default PowerSploit/Empire Scheduled Task Creation
- HackTool - Empire PowerShell Launch Parameters
- HackTool - Jlaive In-Memory Assembly Execution
- HackTool - Koadic Execution
- HackTool - NetExec File Indicators
- HackTool - RedMimicry Winnti Playbook Execution
- HackTool - Sliver C2 Implant Activity Pattern
- HackTool - Stracciatella Execution
- Hacktool Ruler
- Headless Process Launched Via Conhost.EXE
- Hidden Powershell in Link File Pattern
- HTML Help HH.EXE Suspicious Child Process
- Import PowerShell Modules From Suspicious Directories
- Import PowerShell Modules From Suspicious Directories - ProcCreation
- Install New Package Via Winget Local Manifest
- Installation of WSL Kali-Linux
- Invocation Of Crypto-Classes From The "Cryptography" PowerShell Namespace
- Invoke-Obfuscation CLIP+ Launcher
- Invoke-Obfuscation CLIP+ Launcher - PowerShell
- Invoke-Obfuscation CLIP+ Launcher - PowerShell Module
- Invoke-Obfuscation CLIP+ Launcher - Security
- Invoke-Obfuscation CLIP+ Launcher - System
- Invoke-Obfuscation COMPRESS OBFUSCATION
- Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell
- Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell Module
- Invoke-Obfuscation COMPRESS OBFUSCATION - Security
- Invoke-Obfuscation COMPRESS OBFUSCATION - System
- Invoke-Obfuscation Obfuscated IEX Invocation
- Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell
- Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell Module
- Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell
- Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell Module
- Invoke-Obfuscation RUNDLL LAUNCHER - Security
- Invoke-Obfuscation RUNDLL LAUNCHER - System
- Invoke-Obfuscation STDIN+ Launcher
- Invoke-Obfuscation STDIN+ Launcher - Powershell
- Invoke-Obfuscation STDIN+ Launcher - PowerShell Module
- Invoke-Obfuscation STDIN+ Launcher - Security
- Invoke-Obfuscation STDIN+ Launcher - System
- Invoke-Obfuscation VAR+ Launcher
- Invoke-Obfuscation VAR+ Launcher - PowerShell
- Invoke-Obfuscation VAR+ Launcher - PowerShell Module
- Invoke-Obfuscation VAR+ Launcher - Security
- Invoke-Obfuscation VAR+ Launcher - System
- Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION
- Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell
- Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell Module
- Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - Security
- Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - System
- Invoke-Obfuscation Via Stdin
- Invoke-Obfuscation Via Stdin - Powershell
- Invoke-Obfuscation Via Stdin - PowerShell Module
- Invoke-Obfuscation Via Stdin - Security
- Invoke-Obfuscation Via Stdin - System
- Invoke-Obfuscation Via Use Clip
- Invoke-Obfuscation Via Use Clip - Powershell
- Invoke-Obfuscation Via Use Clip - PowerShell Module
- Invoke-Obfuscation Via Use Clip - Security
- Invoke-Obfuscation Via Use Clip - System
- Invoke-Obfuscation Via Use MSHTA
- Invoke-Obfuscation Via Use MSHTA - PowerShell
- Invoke-Obfuscation Via Use MSHTA - PowerShell Module
- Invoke-Obfuscation Via Use MSHTA - Security
- Invoke-Obfuscation Via Use MSHTA - System
- Invoke-Obfuscation Via Use Rundll32 - PowerShell
- Invoke-Obfuscation Via Use Rundll32 - PowerShell Module
- Invoke-Obfuscation Via Use Rundll32 - Security
- Invoke-Obfuscation Via Use Rundll32 - System
- Kalambur Backdoor Curl TOR SOCKS Proxy Execution
- Lace Tempest PowerShell Evidence Eraser
- Lace Tempest PowerShell Launcher
- Lazarus Group Activity
- Linux Suspicious Child Process from Node.js - React2Shell
- Malicious Base64 Encoded PowerShell Keywords in Command Lines
- Malicious Nishang PowerShell Commandlets
- Malicious PowerShell Commandlets - PoshModule
- Malicious PowerShell Commandlets - ProcessCreation
- Malicious PowerShell Commandlets - ScriptBlock
- Malicious PowerShell Keywords
- Malicious PowerShell Scripts - FileCreation
- Malicious PowerShell Scripts - PoshModule
- Malicious ShellIntel PowerShell Commandlets
- Manual Execution of Script Inside of a Compressed File
- MERCURY APT Activity
- Metasploit reverse shell injection in SQL Server
- MMC Loading Script Engines DLLs
- MSHTA Execution with Suspicious File Extensions
- Net WebClient Casing Anomalies
- Netcat The Powershell Version
- Network Connection Initiated By PowerShell Process
- Network Connection Initiated via Finger.EXE
- New PowerShell Instance Created
- Node Process Executions
- NodeJS Execution of JavaScript File
- Non Interactive PowerShell Process Spawned
- Nslookup PowerShell Download Cradle
- NTFS Alternate Data Stream
- Obfuscated PowerShell MSI Install via WindowsInstaller COM
- Obfuscated PowerShell OneLiner Execution
- OpenEDR Spawning Command Shell
- Operation Wocao Activity
- Operation Wocao Activity - Security
- Operator Bloopers Cobalt Strike Commands
- Operator Bloopers Cobalt Strike Modules
- Outlook EnableUnsafeClientMailRules Setting Enabled
- Payload downloaded via PowerShell
- PCRE.NET Package Image Load
- PCRE.NET Package Temp Files
- Perl Inline Command Execution
- Php Inline Command Execution
- PipeShell exfiltration over named pipes
- Potential APT FIN7 Exploitation Activity
- Potential APT FIN7 POWERHOLD Execution
- Potential APT10 Cloud Hopper Activity
- Potential Arbitrary Command Execution Via FTP.EXE
- Potential Atlassian Confluence CVE-2021-26084 Exploitation Attempt
- Potential Baby Shark Malware Activity
- Potential BlackByte Ransomware Activity
- Potential Bumblebee Remote Thread Creation
- Potential CobaltStrike Process Patterns
- Potential CommandLine Path Traversal Via Cmd.EXE
- Potential CVE-2021-40444 Exploitation Attempt
- Potential CVE-2022-22954 Exploitation Attempt - VMware Workspace ONE Access Remote Code Execution
- Potential Data Exfiltration Activity Via CommandLine Tools
- Potential DLL File Download Via PowerShell Invoke-WebRequest
- Potential Dosfuscation Activity
- Potential Dropper Script Execution Via WScript/CScript/MSHTA
- Potential Emotet Activity
- Potential Encoded PowerShell Patterns In CommandLine
- Potential Exploitation of CrushFTP RCE Vulnerability (CVE-2025-54309)
- Potential Exploitation of GoAnywhere MFT Vulnerability
- Potential KamiKakaBot Activity - Lure Document Execution
- Potential MOVEit Transfer CVE-2023-34362 Exploitation - Dynamic Compilation Via Csc.EXE
- Potential Persistence Via Powershell Search Order Hijacking - Task
- Potential Persistence Via VMwareToolBoxCmd.EXE VM State Change Script
- Potential Pikabot Infection - Suspicious Command Combinations Via Cmd.EXE
- Potential PowerShell Command Line Obfuscation
- Potential PowerShell Downgrade Attack
- Potential PowerShell Obfuscation Using Alias Cmdlets
- Potential PowerShell Obfuscation Using Character Join
- Potential PowerShell Obfuscation Via Reversed Commands
- Potential PowerShell Obfuscation Via WCHAR/CHAR
- Potential Powershell ReverseShell Connection
- Potential POWERTRASH Script Execution
- Potential QBot Activity
- Potential Reconnaissance Activity Via GatherNetworkInfo.VBS
- Potential Remote PowerShell Session Initiated
- Potential Remote SquiblyTwo Technique Execution
- Potential SAP NetWeaver Webshell Creation
- Potential SAP NetWeaver Webshell Creation - Linux
- Potential Suspicious PowerShell Keywords
- Potential WinAPI Calls Via PowerShell Scripts
- Potential WMI Lateral Movement WmiPrvSE Spawned PowerShell
- Potentially Suspicious Command Executed Via Run Dialog Box - Registry
- Potentially Suspicious Execution From Parent Process In Public Folder
- Potentially Suspicious Inline JavaScript Execution via NodeJS Binary
- Potentially Suspicious Long Filename Pattern - Linux
- Potentially Suspicious NTFS Symlink Behavior Modification
- Potentially Suspicious PowerShell Child Processes
- Potentially Suspicious Powershell Script Execution From Temp Folder
- Potentially Suspicious WebDAV LNK Execution
- PowerShell ADRecon Execution
- PowerShell Base64 Encoded FromBase64String Cmdlet
- PowerShell Base64 Encoded IEX Cmdlet
- PowerShell Base64 Encoded Invoke Keyword
- PowerShell Base64 Encoded Reflective Assembly Load
- PowerShell Base64 Encoded WMI Classes
- PowerShell Called from an Executable Version Mismatch
- PowerShell Core DLL Loaded By Non PowerShell Process
- PowerShell Create Local User
- PowerShell Credential Prompt
- PowerShell Downgrade Attack - PowerShell
- PowerShell Download and Execution Cradles
- PowerShell Download Pattern
- PowerShell Download Via Net.WebClient - PowerShell Classic
- Powershell Execute Batch Script
- Powershell Executed From Headless ConHost Process
- Powershell Inline Execution From A File
- PowerShell MSI Install via WindowsInstaller COM From Remote Location
- Powershell MsXml COM Object
- PowerShell PSAttack
- PowerShell Remote Session Creation
- PowerShell Script Run in AppData
- PowerShell ShellCode
- PowerShell Web Access Installation - PsScript
- Powershell XML Execute Command
- PowerView PowerShell Cmdlets - ScriptBlock
- PSAsyncShell - Asynchronous TCP Reverse Shell
- PUA - AdvancedRun Execution
- PUA - Wsudo Suspicious Execution
- Python Inline Command Execution
- Python One-Liners with Base64 Decoding
- Python Path Configuration File Creation - Linux
- Python Path Configuration File Creation - MacOS
- Python Path Configuration File Creation - Windows
- Python Spawning Pretty TTY on Windows
- Raspberry Robin Initial Execution From External Drive
- Raspberry Robin Subsequent Execution of Commands
- Read Contents From Stdin Via Cmd.EXE
- Registry Modification Attempt Via VBScript
- Registry Modification Attempt Via VBScript - PowerShell
- Registry Set With Crypto-Classes From The "Cryptography" PowerShell Namespace
- Registry Tampering by Potentially Suspicious Processes
- Remote Access Tool - ScreenConnect Command Execution
- Remote Access Tool - ScreenConnect File Transfer
- Remote Access Tool - ScreenConnect Remote Command Execution
- Remote Access Tool - ScreenConnect Temporary File
- Remote LSASS Process Access Through Windows Remote Management
- Remote PowerShell Session (PS Classic)
- Remote PowerShell Session (PS Module)
- Remote PowerShell Session Host Process (WinRM)
- Remote PowerShell Sessions Network Connections (WinRM)
- Remote Thread Creation Via PowerShell
- Remote Thread Creation Via PowerShell In Uncommon Target
- Renamed CURL.EXE Execution
- Renamed FTP.EXE Execution
- Renamed NirCmd.EXE Execution
- Renamed PingCastle Binary Execution
- Renamed Powershell Under Powershell Channel
- REvil Kaseya Incident Malware Patterns
- Rorschach Ransomware Execution Activity
- Ruby Inline Command Execution
- Run PowerShell Script from Redirected Input Stream
- Scheduled Task Executing Encoded Payload from Registry
- Scheduled Task Executing Payload from Registry
- Script Interpreter Execution From Suspicious Folder
- Script Interpreter Spawning Credential Scanner - Windows
- Serial console process spawning CMD shell (via command)
- Serpent Backdoor Payload Execution Via Scheduled Task
- Shai-Hulud Malware Indicators - Linux
- Shai-Hulud Malware Indicators - Windows
- Silence.EDA Detection
- Sofacy Trojan Loader Activity
- SQL Client Tools PowerShell Session Detection
- Suspicious ArcSOC.exe Child Process
- Suspicious Child Process Of BgInfo.EXE
- Suspicious Child Process of SAP NetWeaver
- Suspicious Child Process of SAP NetWeaver - Linux
- Suspicious CrushFTP Child Process
- Suspicious Deno File Written from Remote Source
- Suspicious Encoded And Obfuscated Reflection Assembly Load Function Call
- Suspicious Encoded PowerShell Command Line
- Suspicious Execution of Powershell with Base64
- Suspicious File Characteristics Due to Missing Fields
- Suspicious File Created In PerfLogs
- Suspicious File Execution From Internet Hosted WebDav Share
- Suspicious Greedy Compression Using Rar.EXE
- Suspicious HH.EXE Execution
- Suspicious HWP Sub Processes
- Suspicious Interactive PowerShell as SYSTEM
- Suspicious Persistence Via VMwareToolBoxCmd.EXE VM State Change Script
- Suspicious PowerShell Download - PoshModule
- Suspicious PowerShell Download - Powershell Script
- Suspicious PowerShell Download and Execute Pattern
- Suspicious PowerShell Encoded Command Patterns
- Suspicious PowerShell IEX Execution Patterns
- Suspicious PowerShell Invocation From Script Engines
- Suspicious PowerShell Invocations - Generic
- Suspicious PowerShell Invocations - Generic - PowerShell Module
- Suspicious PowerShell Invocations - Specific
- Suspicious PowerShell Invocations - Specific - PowerShell Module
- Suspicious PowerShell Parameter Substring
- Suspicious PowerShell Parent Process
- Suspicious PrinterPorts Creation (CVE-2020-1048)
- Suspicious Process Spawned by CentreStack Portal AppPool
- Suspicious Program Names
- Suspicious RASdial Activity
- Suspicious Reconnaissance Activity Via GatherNetworkInfo.VBS
- Suspicious Remote Child Process From Outlook
- Suspicious Runscripthelper.exe
- Suspicious Scan Loop Network
- Suspicious Schtasks Execution AppData Folder
- Suspicious Scripting in a WMI Consumer
- Suspicious Usage of For Loop with Recursive Directory Search in CMD
- Suspicious WSMAN Provider Image Loads
- Suspicious XOR Encoded PowerShell Command
- Sysprep on AppData Folder
- TropicTrooper Campaign November 2018
- Turla Group Commands May 2020
- Turla Group Lateral Movement
- UNC2452 PowerShell Pattern
- UNC2452 Process Creation Patterns
- Uncommon Child Process Of BgInfo.EXE
- Uncommon PowerShell Hosts
- Unusual Parent Process For Cmd.EXE
- Unusually Long PowerShell CommandLine
- Ursnif Redirection Of Discovery Commands
- Usage Of Web Request Commands And Cmdlets
- Usage Of Web Request Commands And Cmdlets - ScriptBlock
- Use of FSharp Interpreters
- Use of OpenConsole
- Use of Pcalua For Execution
- Vice Society directory crawling script for data exfiltration (via ps_script)
- VMToolsd Suspicious Child Process
- WinAPI Function Calls Via PowerShell Scripts
- WinAPI Library Calls Via PowerShell Scripts
- Windows Defender AMSI Trigger Detected
- Windows Defender Exclusions Added - PowerShell
- Windows Defender Threat Detected
- Windows Shell/Scripting Application File Write to Suspicious Folder
- Windows Shell/Scripting Processes Spawning Suspicious Programs
- Windows Suspicious Child Process from Node.js - React2Shell
- WMImplant Hack Tool
- Writing Of Malicious Files To The Fonts Folder
- WScript or CScript Dropper - File
- Wscript Shell Run In CommandLine
- WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
- XSL Script Execution Via WMIC.EXE
- ZxShell Malware
Elastic 82 rules
- Attempt to Install or Run Kali Linux via WSL
- Binary Content Copy via Cmd.exe
- Clearing Windows Console History
- Command and Scripting Interpreter via Windows Scripts
- Command Execution via SolarWinds Process
- Command Shell Activity Started via RunDLL32
- Conhost Spawned By Suspicious Parent Process
- Delayed Execution via Ping
- Disabling Windows Defender Security Settings via PowerShell
- Dynamic IEX Reconstruction via Method String Access
- Execution from Unusual Directory - Command Line
- Execution of a Downloaded Windows Script
- Execution of Persistent Suspicious Program
- Execution via MS VisualStudio Pre/Post Build Events
- Execution via Windows Subsystem for Linux
- Exporting Exchange Mailbox via PowerShell
- Host File System Changes via Windows Subsystem for Linux
- Incoming Execution via PowerShell Remoting
- Microsoft Exchange Worker Spawning Suspicious Processes
- Microsoft Management Console File from Unusual Path
- New ActiveSyncAllowedDeviceID Added via PowerShell
- Outbound Scheduled Task Activity via PowerShell
- Potential Command Shell via NetCat
- Potential Dynamic IEX Reconstruction via Environment Variables
- Potential Execution via FileFix Phishing Attack
- Potential Fake CAPTCHA Phishing Attack
- Potential PowerShell Obfuscation via Backtick-Escaped Variable Expansion
- Potential PowerShell Obfuscation via Character Array Reconstruction
- Potential PowerShell Obfuscation via Concatenated Dynamic Command Invocation
- Potential PowerShell Obfuscation via High Numeric Character Proportion
- Potential PowerShell Obfuscation via High Special Character Proportion
- Potential PowerShell Obfuscation via Invalid Escape Sequences
- Potential PowerShell Obfuscation via Reverse Keywords
- Potential PowerShell Obfuscation via Special Character Overuse
- Potential PowerShell Obfuscation via String Concatenation
- Potential PowerShell Obfuscation via String Reordering
- Potential SharpRDP Behavior
- Potential Veeam Credential Access Command
- PowerShell Obfuscation via Negative Index String Reversal
- Process Activity via Compiled HTML File
- Proxy Execution via Console Window Host
- Remote File Download via PowerShell
- Remote File Download via Script Interpreter
- Remote XSL Script Execution via COM
- Renamed Automation Script Interpreter
- Scheduled Task Created by a Windows Script
- ScreenConnect Server Spawning Suspicious Processes
- Script Execution via Microsoft HTML Application
- Service Control Spawned via Script Interpreter
- Suspicious .NET Code Compilation
- Suspicious Cmd Execution via WMI
- Suspicious Command Prompt Network Connection
- Suspicious Execution from a Mounted Device
- Suspicious Execution from VS Code Extension
- Suspicious Execution via Windows Subsystem for Linux
- Suspicious Execution with NodeJS
- Suspicious Explorer Child Process
- Suspicious JavaScript Execution via Deno
- Suspicious JetBrains TeamCity Child Process
- Suspicious Microsoft HTML Application Child Process
- Suspicious MS Office Child Process
- Suspicious MS Outlook Child Process
- Suspicious ScreenConnect Client Child Process
- Suspicious Shell Execution via Velociraptor
- Suspicious SolarWinds Web Help Desk Java Module Load or Child Process
- Suspicious Windows Command Shell Arguments
- Suspicious Windows Powershell Arguments
- Suspicious Zoom Child Process
- System Information Discovery via Windows Command Shell
- System Shells via Services
- Unusual Parent Process for cmd.exe
- Unusual Process For MSSQL Service Accounts
- Veeam Backup Library Loaded by Unusual Process
- Volume Shadow Copy Deletion via PowerShell
- Windows Defender Exclusions Added via PowerShell
- Windows Firewall Disabled via PowerShell
- Windows Script Executing PowerShell
- Windows Script Execution from Archive
- Windows Script Interpreter Executing Process via WMI
- Windows Server Update Service Spawning Suspicious Processes
- Windows Subsystem for Linux Distribution Installed
- Windows System Information Discovery
Splunk 247 rules
- 1 or 2 Character Executable (Windows Event Log)
- AutoHotkey Execution (PowerShell)
- AutoHotkey Execution (Sysmon)
- AutoHotkey Execution (Windows Event Log)
- AutoIt Execution (PowerShell)
- AutoIt Execution (Sysmon)
- AutoIt Execution (Windows Event Log)
- Bypass or Unrestricted PowerShell Execution (PowerShell)
- CMD Carry Out String Command Parameter
- CMD Echo Pipe - Escalation
- CMD execution with _c (PowerShell)
- CMD execution with _c (Sysmon)
- CMD execution with _c (Windows Event Log)
- Command Line .cmd Execution (Sysmon)
- Command Line .cmd Execution (Windows Event Log)
- Command Line Spawned by Archive Utility - Windows (Sysmon)
- Command Line Spawned by Archive Utility - Windows (Windows Event Log)
- Command Line Utility Added to Accessibility Features (PowerShell)
- Command Line Utility Added to Accessibility Features (Sysmon)
- Command Line Utility Added to Accessibility Features (Windows Event Log)
- Command Output Redirected to Localhost (Windows Event Log)
- Command-Line Interface Execution (PowerShell)
- Command-Line Interface Execution (Sysmon)
- Command-Line Interface Execution (Windows Event Log)
- Common Exchange Recon cmdlets (PowerShell)
- Common Reconnaissance Commands (PowerShell)
- Common Reconnaissance Commands (Sysmon)
- Common Reconnaissance Commands (Windows Event Log)
- Conhost.exe Kernel call (Sysmon)
- Conhost.exe Kernel call (Windows Event Log)
- Consent.exe Suspicious Child Process (Sysmon)
- Consent.exe Suspicious Child Process (Windows Event Log)
- Detect Certify With PowerShell Script Block Logging
- Detect Empire with PowerShell Script Block Logging
- Detect Mimikatz With PowerShell Script Block Logging
- Detect Prohibited Applications Spawning cmd exe
- Detect Use of cmd exe to Launch Script Interpreters
- Encoded Powershell Command (PowerShell)
- Encoded Powershell Command (Sysmon)
- Encoded Powershell Command (Windows Event Log)
- Excessive distinct processes from Windows Temp
- Excessive number of taskhost processes
- Exchange PowerShell Module Usage
- Executable Create Script Process (PowerShell)
- Executable Create Script Process (Sysmon)
- Executable Create Script Process (Windows Event Log)
- Executable Process from Suspicious Folder (PowerShell)
- Executable Process from Suspicious Folder (Sysmon)
- Executable Process from Suspicious Folder (Windows Event Log)
- Execute Javascript With Jscript COM CLSID
- Explorer Child Process with Suspicious Command Line Padding (Sysmon)
- Get-ForestTrust with PowerShell Script Block
- GetLocalUser with PowerShell Script Block
- GetWmiObject User Account with PowerShell Script Block
- Git Hooks Spawn System32 Process (Sysmon)
- Git Spawns System32 Process (Sysmon)
- Git Spawns System32 Process (Windows Event Log)
- Go Run Execution (PowerShell)
- Go Run Execution (Sysmon)
- Go Run Execution (Windows Event Log)
- High Entropy Powershell (PowerShell)
- Impacket atexec.py Execution (PowerShell)
- Impacket atexec.py Execution (Sysmon)
- Impacket atexec.py Execution (Windows Event Log)
- Impacket atexec.py Scheduled Task Creation (Windows Event Log)
- Impacket atexec.py Temp File Creation (Sysmon)
- Impacket atexec.py Temp File Creation (Windows Event Log)
- Impacket SMBexec (Windows Event Log)
- Impacket_Empire's WMIExec (Windows Event Log)
- Invoke-Expression Command (PowerShell)
- Invoke-Expression Command (Sysmon)
- Invoke-Expression Command (Windows Event Log)
- Invoke-WebRequest Command (PowerShell)
- Invoke-WebRequest Command (Sysmon)
- Invoke-WebRequest Command (Windows Event Log)
- Jscript Execution Using Cscript App
- Malicious PowerShell Process - Execution Policy Bypass
- Malicious PowerShell Process With Obfuscation Techniques
- Meterpreter Reverse Shell (Windows Event Log)
- Microsoft Build Engine Suspicious Parent Process (Sysmon)
- Microsoft Build Engine Suspicious Parent Process (Windows Event Log)
- Modify Exchange Access Settings (PowerShell)
- MS Scripting Process Loading Ldap Module
- MS Scripting Process Loading WMI Module
- NirCmd Execution (Sysmon)
- NirCmd Execution (Windows Event Log)
- Nishang PowershellTCPOneLine
- Non-MSIExec .msi Installation (PowerShell)
- Non-MSIExec .msi Installation (Windows Event Log)
- Output to File (PowerShell)
- Output to File (Windows Event Log)
- Parent in Public Folder Suspicious Process (Sysmon)
- Parent in Public Folder Suspicious Process (Windows Event Log)
- Possible Lateral Movement PowerShell Spawn
- Potential AutoHotkey .ahk Execution (PowerShell)
- Potential AutoHotkey .ahk Execution (Sysmon)
- Potential AutoHotkey .ahk Execution (Windows Event Log)
- Potential PowerShell Post-Exploitation Activity (Sysmon)
- Potential PowerShell Post-Exploitation Activity (Windows Event Log)
- Potential Proxy Malware via AutoRun Key (PowerShell)
- Potential Proxy Malware via AutoRun Key (Sysmon)
- Potential Proxy Malware via AutoRun Key (Windows Event Log)
- PowerShell - Connect To Internet With Hidden Window
- PowerShell 4104 Hunting
- PowerShell Clipboard Access (PowerShell)
- Powershell COM Hijacking InprocServer32 Modification
- PowerShell CreateDecryptor (PowerShell)
- PowerShell CreateDecryptor (Sysmon)
- PowerShell CreateDecryptor (Windows Event Log)
- Powershell Creating Thread Mutex
- PowerShell Domain Enumeration
- PowerShell Downgrade (PowerShell)
- PowerShell Downgrade (Sysmon)
- PowerShell Downgrade (Windows Event Log)
- PowerShell Download Activity (PowerShell)
- PowerShell DownloadFile_DownloadString (PowerShell)
- PowerShell DownloadFile_DownloadString (Sysmon)
- PowerShell DownloadFile_DownloadString (Windows Event Log)
- PowerShell Enable PowerShell Remoting
- PowerShell Environment Variable Execution
- Powershell Execute COM Object
- Powershell Fileless Process Injection via GetProcAddress
- Powershell Fileless Script Contains Base64 Encoded Content
- PowerShell Hidden Window (PowerShell)
- PowerShell Hidden Window (Windows Event Log)
- Powershell ICMP Data Exfiltration (PowerShell)
- Powershell Load Module in Meterpreter
- PowerShell Loading DotNET into Memory via Reflection
- PowerShell Modifying Registry Values (PowerShell)
- PowerShell Modifying Registry Values (Sysmon)
- PowerShell Modifying Registry Values (Windows Event Log)
- PowerShell PInvoke Process Injection API Chain
- Powershell Processing Stream Of Data
- PowerShell Script Block With URL Chain
- PowerShell Start or Stop Service
- Powershell Using memory As Backing Store
- PowerShell WebRequest Using Memory Stream
- PowerShell XML Retrieval (PowerShell)
- PowerShell XML Retrieval (Sysmon)
- PowerShell XML Retrieval (Windows Event Log)
- PowerView_SharpView Commands (PowerShell)
- Process Writing DynamicWrapperX
- Python Execution (Windows Event Log)
- Rare Process Execution (Sysmon)
- Rare Process Execution (Windows Event Log)
- Recon Using WMI Class
- Remote Admin Tools (EDR)
- Remote Admin Tools (PowerShell)
- Remote Admin Tools (Sysmon)
- Remote Admin Tools (Windows Event Log)
- Ryuk Wake on LAN Command
- Script Connected to External Destination - Windows (Sysmon)
- Script Connected to External Destination - Windows (Windows Event Log)
- Set Default PowerShell Execution Policy To Unrestricted or Bypass
- SharpHound Enumeration (Windows Event Log)
- Sliver C2 Implant Activity Pattern (PowerShell)
- Sliver C2 Implant Activity Pattern (Sysmon)
- Sliver C2 Implant Activity Pattern (Windows Event Log)
- Suspicious Child Process for mshta.exe (Sysmon)
- Suspicious Child Process for mshta.exe (Windows Event Log)
- Suspicious Executable by CMD.exe (Sysmon)
- Suspicious Executable by CMD.exe (Windows Event Log)
- Suspicious Executable by Powershell (EDR)
- Suspicious Executable by Powershell (Sysmon)
- Suspicious Executable by Powershell (Windows Event Log)
- Suspicious Powershell (PowerShell)
- Suspicious PowerShell Clipboard Activity (PowerShell)
- Suspicious PowerShell Clipboard Activity (Sysmon)
- Suspicious PowerShell Clipboard Activity (Windows Event Log)
- Suspicious PowerShell Parameter Substring (PowerShell)
- Suspicious PowerShell Parameter Substring (Sysmon)
- Suspicious PowerShell Parameter Substring (Windows Event Log)
- Suspicious Process DNS Query Known Abuse Web Services
- Suspicious Process With Discord DNS Query
- Suspicious reCAPTCHA Command Line (PowerShell)
- Suspicious reCAPTCHA Command Line (Sysmon)
- Unloading AMSI via Reflection
- Vbscript Execution Using Wscript App
- WebDAV LNK Execution (Sysmon)
- WebDAV LNK Execution (Windows Event Log)
- WebLogic CVE-2017-10271 (PowerShell)
- WebLogic CVE-2017-10271 (Sysmon)
- WebLogic CVE-2017-10271 (Windows Event Log)
- Wermgr Process Spawned CMD Or Powershell Process
- Windows Account Access Removal via Logoff Exec
- Windows Apache Benchmark Binary
- Windows AutoIt3 Execution
- Windows Cmdline Tool Execution From Non-Shell Process
- Windows Cobalt Strike PowerShell Loader
- Windows Command and Scripting Interpreter Hunting Path Traversal
- Windows Command and Scripting Interpreter Path Traversal Exec
- Windows Command Shell DCRat ForkBomb Payload
- Windows Copy Files (PowerShell)
- Windows Copy Files (Sysmon)
- Windows Copy Files (Windows Event Log)
- Windows Crowdstrike RTR Script Execution
- Windows Default Cobalt Strike PowerShell Beacon
- Windows Defender ASR Audit Events
- Windows Defender ASR Block Events
- Windows Defender ASR Rules Stacking
- Windows Enable PowerShell Web Access
- Windows Explorer LNK Exploit Process Launch With Padding
- Windows Explorer.exe Spawning PowerShell or Cmd
- Windows File Association Modification via Ftype
- Windows File Download Via PowerShell
- Windows GrimResource - MMC Process Accessing APDS DLL
- Windows Identify Protocol Handlers
- Windows Outlook Macro Created by Suspicious Process
- Windows PaperCut NG Spawn Shell
- Windows Powershell Cryptography Namespace
- Windows PowerShell FakeCAPTCHA Clipboard Execution
- Windows PowerShell Get CIMInstance Remote Computer
- Windows Powershell History File Deletion
- Windows Powershell Import Applocker Policy
- Windows PowerShell Invoke-RestMethod IP Information Collection
- Windows PowerShell Invoke-Sqlcmd Execution
- Windows Powershell Logoff User via Quser
- Windows PowerShell Module File Created
- Windows PowerShell MSIX Package Installation
- Windows PowerShell Process Implementing Manual Base64 Decoder
- Windows PowerShell Process With Malicious String
- Windows Powershell RemoteSigned File
- Windows PowerShell ScheduleTask
- Windows PowerShell Script Block With Malicious String
- Windows PowerShell Script From WindowsApps Directory
- Windows PowerShell Script TabExpansion Direct Call
- Windows PowerShell WMI Win32 ScheduledJob
- Windows PowGoop Beacon Decoding
- Windows Process Accessing Windows Recall Directory
- Windows Process Execution From RDP Share
- Windows Remote Image Load
- Windows Scheduled Task Service Spawned Shell
- Windows Shell Process from CrushFTP
- Windows Software Discovery Via PowerShell
- Windows SQL Server Extended Procedure DLL Loading Hunt
- Windows SQLCMD Execution
- Windows SSH Proxy Command
- Windows Suspicious React or Next.js Child Process
- Windows Suspicious VMWare Tools Child Process
- Windows TeamCity Payload Execution from Temp Directory
- Windows TeamCity Plugin Installed
- Windows TinyCC Shellcode Execution
- Windows WinDBG Spawning AutoIt3
- Windows XLL File Creation Outside of Typical Location
- Wscript_Cscript Execution (PowerShell)
- Wscript_Cscript Execution (Sysmon)
- Wscript_Cscript Execution (Windows Event Log)
Kusto 28 rules
- Base64 encoded Windows process command-lines
- Base64 encoded Windows process command-lines (Normalized Process Events)
- Deimos Component Execution
- Detect Suspicious Commands Initiated by Webserver Processes
- Doppelpaymer Stop Services
- Exchange Worker Process Making Remote Call
- Google Threat Intelligence - Threat Hunting Hash
- Java Executing cmd to run Powershell
- Midnight Blizzard - Script payload stored in Registry
- NRT Base64 Encoded Windows Process Command-lines
- NRT Process executed from binary hidden in Base64 encoded file
- Office Apps Launching Wscipt
- Powershell Empire Cmdlets Executed in Command Line
- PowerShell without powershell.exe
- Process Creation with Suspicious CommandLine Arguments
- Process executed from binary hidden in Base64 encoded file
- Process Execution Frequency Anomaly
- Qakbot Discovery Activies
- RecordedFuture Threat Hunting Hash All Actors
- Script Interpreter Loading DotNet Assembly From Memory
- SUNBURST and SUPERNOVA backdoor hashes
- SUNBURST and SUPERNOVA backdoor hashes (Normalized File Events)
- SUNBURST network beacons
- SUNBURST suspicious SolarWinds child processes (Normalized Process Events)
- Suspicious Powershell Commandlet Executed
- TEARDROP memory-only dropper
- Windows Binaries Executed from Non-Default Directory
- Windows Binaries Lolbins Renamed