Detection rules › By event
Microsoft-Windows-PowerShell event 4104
Sigma (162)
- AADInternals PowerShell Cmdlets Execution - PsScript
- Abuse of Service Permissions to Hide Services Via Set-Service - PS
- Access to Browser Login Data
- Active Directory Computers Enumeration With Get-AdComputer
- Active Directory Group Enumeration With Get-AdGroup
- AD Groups Or Users Enumeration Using PowerShell - ScriptBlock
- Add Windows Capability Via PowerShell Script
- AMSI Bypass Pattern Assembly GetType
- Automated Collection Bookmarks Using Get-ChildItem PowerShell
- Automated Collection Command PowerShell
- Certificate Exported Via PowerShell - ScriptBlock
- Change PowerShell Policies to an Insecure Level - PowerShell
- Change User Agents with WebRequest
- Clear PowerShell History - PowerShell
- Clearing Windows Console History
- Code Executed Via Office Add-in XLL File
- Computer Discovery And Export Via Get-ADComputer Cmdlet - PowerShell
- Create Volume Shadow Copy with Powershell
- Deletion of Volume Shadow Copies via WMI with PowerShell - PS Script
- Detected Windows Software Discovery - PowerShell
- DirectorySearcher Powershell Exploitation
- Disable of ETW Trace - Powershell
- Disable Powershell Command History
- Disable-WindowsOptionalFeature Command PowerShell
- DMSA Link Attributes Modified
- DMSA Service Account Created in Specific OUs - PowerShell
- DSInternals Suspicious PowerShell Cmdlets - ScriptBlock
- Dump Credentials from Windows Credential Manager With PowerShell
- Enable Windows Remote Management
- Enumerate Credentials from Windows Credential Manager With PowerShell
- Execute Invoke-command on Remote Host
- Extracting Information with PowerShell
- Get-ADUser Enumeration Using UserAccountControl Flags
- HackTool - Rubeus Execution - ScriptBlock
- HackTool - WinPwn Execution - ScriptBlock
- Import PowerShell Modules From Suspicious Directories
- Invoke-Obfuscation CLIP+ Launcher - PowerShell
- Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell
- Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell
- Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell
- Invoke-Obfuscation STDIN+ Launcher - Powershell
- Invoke-Obfuscation VAR+ Launcher - PowerShell
- Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell
- Invoke-Obfuscation Via Stdin - Powershell
- Invoke-Obfuscation Via Use Clip - Powershell
- Invoke-Obfuscation Via Use MSHTA - PowerShell
- Invoke-Obfuscation Via Use Rundll32 - PowerShell
- Live Memory Dump Using Powershell
- Malicious Nishang PowerShell Commandlets
- Malicious PowerShell Commandlets - ScriptBlock
- Malicious PowerShell Keywords
- Malicious ShellIntel PowerShell Commandlets
- Manipulation of User Computer or Group Security Principals Across AD
- Modify Group Policy Settings - ScriptBlockLogging
- NTFS Alternate Data Stream
- Password Policy Discovery With Get-AdDefaultDomainPasswordPolicy
- Potential Active Directory Enumeration Using AD Module - PsScript
- Potential AMSI Bypass Script Using NULL Bits
- Potential COM Objects Download Cradles Usage - PS Script
- Potential Data Exfiltration Via Audio File
- Potential In-Memory Execution Using Reflection.Assembly
- Potential Invoke-Mimikatz PowerShell Script
- Potential Keylogger Activity
- Potential Packet Capture Activity Via Start-NetEventSession - ScriptBlock
- Potential Persistence Via PowerShell User Profile Using Add-Content
- Potential Persistence Via Security Descriptors - ScriptBlock
- Potential PowerShell Obfuscation Using Alias Cmdlets
- Potential PowerShell Obfuscation Using Character Join
- Potential RemoteFXvGPUDisablement.EXE Abuse - PowerShell ScriptBlock
- Potential Suspicious PowerShell Keywords
- Potential Suspicious Windows Feature Enabled
- Potential Unconstrained Delegation Discovery Via Get-ADComputer - ScriptBlock
- Potential WinAPI Calls Via PowerShell Scripts
- Potentially Suspicious Call To Win32_NTEventlogFile Class - PSScript
- Powershell Add Name Resolution Policy Table Rule
- PowerShell ADRecon Execution
- PowerShell Create Local User
- Powershell Create Scheduled Task
- PowerShell Credential Prompt
- PowerShell Deleted Mounted Share
- Powershell Detect Virtualization Environment
- Powershell Directory Enumeration
- Powershell DNSExfiltration
- Powershell Execute Batch Script
- PowerShell Get-Process LSASS in ScriptBlock
- PowerShell Hotfix Enumeration
- PowerShell ICMP Exfiltration
- Powershell Install a DLL in System Directory
- Powershell Keylogging
- Powershell Local Email Collection
- Powershell LocalAccount Manipulation
- Powershell MsXml COM Object
- PowerShell PSAttack
- PowerShell Remote Session Creation
- PowerShell Script Change Permission Via Set-Acl - PsScript
- PowerShell Script With File Hostname Resolving Capabilities
- PowerShell Script With File Upload Capabilities
- Powershell Sensitive File Discovery
- PowerShell Set-Acl On Windows Folder - PsScript
- PowerShell ShellCode
- Powershell Store File In Alternate Data Stream
- Powershell Suspicious Win32_PnPEntity
- Powershell Timestomp
- PowerShell Web Access Installation - PsScript
- Powershell WMI Persistence
- PowerShell WMI Win32_Product Install MSI
- PowerShell Write-EventLog Usage
- Powershell XML Execute Command
- PowerView PowerShell Cmdlets - ScriptBlock
- PSAsyncShell - Asynchronous TCP Reverse Shell
- Recon Information for Export with PowerShell
- Registry Modification Attempt Via VBScript - PowerShell
- Registry-Free Process Scope COR_PROFILER
- Remove Account From Domain Admin Group
- Replace Desktop Wallpaper by Powershell
- Root Certificate Installed - PowerShell
- Security Software Discovery Via Powershell Script
- Service Registry Permissions Weakness Check
- Silence.EDA Detection
- Suspicious Connection to Remote Account
- Suspicious Eventlog Clear
- Suspicious FromBase64String Usage On Gzip Archive - Ps Script
- Suspicious Get Information for SMB Share
- Suspicious Get Local Groups Information - PowerShell
- Suspicious Get-ADReplAccount
- Suspicious GetTypeFromCLSID ShellExecute
- Suspicious GPO Discovery With Get-GPO
- Suspicious Hyper-V Cmdlets
- Suspicious Invoke-Item From Mount-DiskImage
- Suspicious IO.FileStream
- Suspicious Kerberos Ticket Request via PowerShell Script - ScriptBlock
- Suspicious Mount-DiskImage
- Suspicious New-PSDrive to Admin Share
- Suspicious PowerShell Download - Powershell Script
- Suspicious PowerShell Get Current User
- Suspicious PowerShell Invocations - Generic
- Suspicious PowerShell Invocations - Specific
- Suspicious PowerShell Mailbox Export to Share - PS
- Suspicious PowerShell WindowStyle Option
- Suspicious Process Discovery With Get-Process
- Suspicious Service DACL Modification Via Set-Service Cmdlet - PS
- Suspicious SSL Connection
- Suspicious Start-Process PassThru
- Suspicious TCP Tunnel Via PowerShell Script
- Suspicious Unblock-File
- Suspicious X509Enrollment - Ps Script
- SyncAppvPublishingServer Execution to Bypass Powershell Restriction
- Tamper Windows Defender - ScriptBlockLogging
- Tamper Windows Defender Remove-MpPreference - ScriptBlockLogging
- Testing Usage of Uncommonly Used Port
- Troubleshooting Pack Cmdlet Execution
- Unsigned AppX Installation Attempt Using Add-AppxPackage - PsScript
- Usage Of Web Request Commands And Cmdlets - ScriptBlock
- User Discovery And Export Via Get-ADUser Cmdlet - PowerShell
- Veeam Backup Servers Credential Dumping Script Execution
- Windows Defender Exclusions Added - PowerShell
- Windows Firewall Profile Disabled
- Windows Screen Capture with CopyFromScreen
- Winlogon Helper DLL
- WMIC Unquoted Services Path Lookup - PowerShell
- WMImplant Hack Tool
- Zip A Folder With PowerShell For Staging In Temp - PowerShell Script
Elastic (12)
- Dynamic IEX Reconstruction via Method String Access
- Potential Dynamic IEX Reconstruction via Environment Variables
- Potential PowerShell Obfuscation via Backtick-Escaped Variable Expansion
- Potential PowerShell Obfuscation via Character Array Reconstruction
- Potential PowerShell Obfuscation via Concatenated Dynamic Command Invocation
- Potential PowerShell Obfuscation via High Numeric Character Proportion
- Potential PowerShell Obfuscation via Invalid Escape Sequences
- Potential PowerShell Obfuscation via Reverse Keywords
- Potential PowerShell Obfuscation via Special Character Overuse
- Potential PowerShell Obfuscation via String Concatenation
- Potential PowerShell Obfuscation via String Reordering
- PowerShell Obfuscation via Negative Index String Reversal
Splunk (109)
- AdsiSearcher Account Discovery
- Allow Inbound Traffic In Firewall Rule
- Delete ShadowCopy With PowerShell
- Detect Certify With PowerShell Script Block Logging
- Detect Copy of ShadowCopy with Script Block Logging
- Detect Empire with PowerShell Script Block Logging
- Detect Mimikatz With PowerShell Script Block Logging
- Disabled Kerberos Pre-Authentication Discovery With Get-ADUser
- Disabled Kerberos Pre-Authentication Discovery With PowerView
- Domain Group Discovery with Adsisearcher
- Elevated Group Discovery with PowerView
- Exchange PowerShell Module Usage
- Get ADDefaultDomainPasswordPolicy with Powershell Script Block
- Get ADUser with PowerShell Script Block
- Get ADUserResultantPasswordPolicy with Powershell Script Block
- Get DomainPolicy with Powershell Script Block
- Get DomainUser with PowerShell Script Block
- Get WMIObject Group Discovery with Script Block Logging
- Get-DomainTrust with PowerShell Script Block
- Get-ForestTrust with PowerShell Script Block
- GetAdComputer with PowerShell Script Block
- GetAdGroup with PowerShell Script Block
- GetCurrent User with PowerShell Script Block
- GetDomainComputer with PowerShell Script Block
- GetDomainController with PowerShell Script Block
- GetDomainGroup with PowerShell Script Block
- GetLocalUser with PowerShell Script Block
- GetNetTcpconnection with PowerShell Script Block
- GetWmiObject Ds Computer with PowerShell Script Block
- GetWmiObject Ds Group with PowerShell Script Block
- GetWmiObject DS User with PowerShell Script Block
- GetWmiObject User Account with PowerShell Script Block
- Interactive Session on Remote Endpoint with PowerShell
- Kerberos Pre-Authentication Flag Disabled with PowerShell
- Mailsniper Invoke functions
- PowerShell 4104 Hunting
- Powershell COM Hijacking InprocServer32 Modification
- Powershell Creating Thread Mutex
- PowerShell Domain Enumeration
- PowerShell Enable PowerShell Remoting
- Powershell Enable SMB1Protocol Feature
- Powershell Execute COM Object
- Powershell Fileless Process Injection via GetProcAddress
- Powershell Fileless Script Contains Base64 Encoded Content
- Powershell Get LocalGroup Discovery with Script Block Logging
- PowerShell Invoke CIMMethod CIMSession
- PowerShell Invoke WmiExec Usage
- Powershell Load Module in Meterpreter
- PowerShell Loading DotNET into Memory via Reflection
- Powershell Processing Stream Of Data
- Powershell Remote Services Add TrustedHost
- Powershell Remove Windows Defender Directory
- PowerShell Script Block With URL Chain
- PowerShell Start or Stop Service
- Powershell Using memory As Backing Store
- PowerShell WebRequest Using Memory Stream
- Powershell Windows Defender Exclusion Commands
- Recon AVProduct Through Pwh or WMI
- Recon Using WMI Class
- Remote Process Instantiation via DCOM and PowerShell Script Block
- Remote Process Instantiation via WinRM and PowerShell Script Block
- Remote Process Instantiation via WMI and PowerShell Script Block
- Remote System Discovery with Adsisearcher
- ServicePrincipalNames Discovery with PowerShell
- Unloading AMSI via Reflection
- User Discovery With Env Vars PowerShell Script Block
- Windows Account Discovery for None Disable User Account
- Windows Account Discovery for Sam Account Name
- Windows Account Discovery With NetUser PreauthNotRequire
- Windows Archive Collected Data via Powershell
- Windows ClipBoard Data via Get-ClipBoard
- Windows Domain Account Discovery Via Get-NetComputer
- Windows Enable PowerShell Web Access
- Windows ESX Admins Group Creation via PowerShell
- Windows Exfiltration Over C2 Via Invoke RestMethod
- Windows Exfiltration Over C2 Via Powershell UploadString
- Windows File Share Discovery With Powerview
- Windows Find Domain Organizational Units with GetDomainOU
- Windows Find Interesting ACL with FindInterestingDomainAcl
- Windows Forest Discovery with GetForestDomain
- Windows Gather Victim Host Information Camera
- Windows Get Local Admin with FindLocalAdminAccess
- Windows Get-AdComputer Unconstrained Delegation Discovery
- Windows Linked Policies In ADSI Discovery
- Windows PowerShell Add Module to Global Assembly Cache
- Windows Powershell Cryptography Namespace
- Windows PowerShell Disable HTTP Logging
- Windows PowerShell Export Certificate
- Windows PowerShell Export PfxCertificate
- Windows PowerShell Get CIMInstance Remote Computer
- Windows Powershell History File Deletion
- Windows PowerShell IIS Components WebGlobalModule Usage
- Windows Powershell Import Applocker Policy
- Windows PowerShell Invoke-RestMethod IP Information Collection
- Windows PowerShell Invoke-Sqlcmd Execution
- Windows Powershell Logoff User via Quser
- Windows PowerShell MSIX Package Installation
- Windows PowerShell ScheduleTask
- Windows PowerShell Script Block With Malicious String
- Windows PowerShell WMI Win32 ScheduledJob
- Windows PowerSploit GPP Discovery
- Windows PowerView AD Access Control List Enumeration
- Windows PowerView Constrained Delegation Discovery
- Windows PowerView Kerberos Service Ticket Request
- Windows PowerView SPN Discovery
- Windows PowerView Unconstrained Delegation Discovery
- Windows Root Domain linked policies Discovery
- Windows Screen Capture Via Powershell
- WMI Recon Running Process Or Services