Detection rules › By event

PowerShell event 400

9 detection rules reference this event. View event page.

Sigma (9)

Delete Volume Shadow Copies Via WMI With PowerShell severity high T1490
Netcat The Powershell Version severity medium T1095
Nslookup PowerShell Download Cradle severity medium T1059.001
PowerShell Called from an Executable Version Mismatch severity high T1059.001
PowerShell Downgrade Attack - PowerShell severity medium T1059.001
Remote PowerShell Session (PS Classic) severity low T1021.006, T1059.001
Renamed Powershell Under Powershell Channel severity low T1036.003, T1059.001
Suspicious PowerShell Download severity medium T1059.001
Use Get-NetTCPConnection severity low T1049