Detection rules › By event

Microsoft-Windows-PowerShell event 4103

33 detection rules reference this event. View event page.

Sigma (33)

AD Groups Or Users Enumeration Using PowerShell - PoshModule severity low T1069.001
Alternate PowerShell Hosts - PowerShell Module severity medium T1059.001
Bad Opsec Powershell Code Artifacts severity critical T1059.001
Clear PowerShell History - PowerShell Module severity medium T1070.003
HackTool - Evil-WinRm Execution - PowerShell Module severity high
Invoke-Obfuscation CLIP+ Launcher - PowerShell Module severity high T1027, T1059.001
Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell Module severity medium T1027, T1059.001
Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell Module severity high T1027, T1059.001
Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell Module severity medium T1027, T1059.001
Invoke-Obfuscation STDIN+ Launcher - PowerShell Module severity high T1027, T1059.001
Invoke-Obfuscation VAR+ Launcher - PowerShell Module severity high T1027, T1059.001
Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell Module severity high T1027, T1059.001
Invoke-Obfuscation Via Stdin - PowerShell Module severity high T1027, T1059.001
Invoke-Obfuscation Via Use Clip - PowerShell Module severity high T1027, T1059.001
Invoke-Obfuscation Via Use MSHTA - PowerShell Module severity high T1027, T1059.001
Invoke-Obfuscation Via Use Rundll32 - PowerShell Module severity high T1027, T1059.001
Malicious PowerShell Commandlets - PoshModule severity high T1059.001, T1069, T1069.001, T1069.002, T1087, T1087.001
Malicious PowerShell Scripts - PoshModule severity high T1059.001
Potential Active Directory Enumeration Using AD Module - PsModule severity medium
Potential RemoteFXvGPUDisablement.EXE Abuse - PowerShell Module severity high T1218
PowerShell Decompress Commands severity informational T1140
PowerShell Get Clipboard severity medium T1115
Remote PowerShell Session (PS Module) severity high T1021.006, T1059.001
Suspicious Computer Machine Password by PowerShell severity medium T1078
Suspicious Get Information for SMB Share - PowerShell Module severity low T1069.001
Suspicious Get Local Groups Information severity low T1069.001
Suspicious Get-ADDBAccount Usage severity high T1003.003
Suspicious PowerShell Download - PoshModule severity medium T1059.001
Suspicious PowerShell Invocations - Generic - PowerShell Module severity high T1059.001
Suspicious PowerShell Invocations - Specific - PowerShell Module severity high T1059.001
SyncAppvPublishingServer Bypass Powershell Restriction - PS Module severity medium T1218
Use Get-NetTCPConnection - PowerShell Module severity low T1049
Zip A Folder With PowerShell For Staging In Temp - PowerShell Module severity medium T1074.001