This section displays SIGMA rules belonging to category Powershell. It updates itself automatically when new commits are available in quasarops.
| Title | Data Compressed - Powershell |
|---|---|
| rule_category | powershell |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/powershell/powershell_data_compressed.yml |
| author | Timur Zinniatullin, oscd.community |
| status | experimental |
| date | 2019/10/21 |
| description | An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network |
| tags | attack.exfiltration attack.t1002 |
| Title | PowerShell Downgrade Attack |
|---|---|
| rule_category | powershell |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/powershell/powershell_downgrade_attack.yml |
| author | Florian Roth (rule), Lee Holmes (idea) |
| status | experimental |
| date | 2017/03/22 |
| description | Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0 |
| tags | attack.defense_evasion attack.execution attack.t1086 |
| Title | PowerShell Called from an Executable Version Mismatch |
|---|---|
| rule_category | powershell |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/powershell/powershell_exe_calling_ps.yml |
| author | Sean Metcalf (source), Florian Roth (rule) |
| status | experimental |
| date | 2017/03/05 |
| description | Detects PowerShell called from an executable by the version mismatch method |
| tags | attack.defense_evasion attack.execution attack.t1086 |
| Title | Malicious PowerShell Commandlets |
|---|---|
| rule_category | powershell |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/powershell/powershell_malicious_commandlets.yml |
| author | Sean Metcalf (source), Florian Roth (rule) |
| status | experimental |
| date | 2017/03/05 |
| description | Detects Commandlet names from well-known PowerShell exploitation frameworks |
| tags | attack.execution attack.t1086 |
| Title | Malicious PowerShell Keywords |
|---|---|
| rule_category | powershell |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/powershell/powershell_malicious_keywords.yml |
| author | Sean Metcalf (source), Florian Roth (rule) |
| status | experimental |
| date | 2017/03/05 |
| description | Detects keywords from well-known PowerShell exploitation frameworks |
| tags | attack.execution attack.t1086 |
| Title | Malicious Nishang PowerShell Commandlets |
|---|---|
| rule_category | powershell |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/powershell/powershell_nishang_malicious_commandlets.yml |
| author | Alec Costello |
| status | experimental |
| date | 2019/05/16 |
| description | Detects Commandlet names and arguments from the Nishang exploitation framework |
| tags | attack.execution attack.t1086 |
| Title | NTFS Alternate Data Stream |
|---|---|
| rule_category | powershell |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/powershell/powershell_ntfs_ads_access.yml |
| author | Sami Ruohonen |
| status | experimental |
| date | 2018/07/24 |
| description | Detects writing data into NTFS alternate data streams from powershell. Needs Script Block Logging. |
| tags | attack.defense_evasion attack.t1096 |
| Title | PowerShell Credential Prompt |
|---|---|
| rule_category | powershell |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/powershell/powershell_prompt_credentials.yml |
| author | John Lambert (idea), Florian Roth (rule) |
| status | experimental |
| date | 2017/04/09 |
| description | Detects PowerShell calling a credential prompt |
| tags | attack.execution attack.credential_access attack.t1086 |
| Title | PowerShell PSAttack |
|---|---|
| rule_category | powershell |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/powershell/powershell_psattack.yml |
| author | Sean Metcalf (source), Florian Roth (rule) |
| status | experimental |
| date | 2017/03/05 |
| description | Detects the use of PSAttack PowerShell hack tool |
| tags | attack.execution attack.t1086 |
| Title | PowerShell ShellCode |
|---|---|
| rule_category | powershell |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/powershell/powershell_shellcode_b64.yml |
| author | David Ledbetter (shellcode), Florian Roth (rule) |
| status | experimental |
| date | 2018/11/17 |
| description | Detects Base64 encoded Shellcode |
| tags | attack.privilege_escalation attack.execution attack.t1055 attack.t1086 |
| Title | Suspicious PowerShell Download |
|---|---|
| rule_category | powershell |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/powershell/powershell_suspicious_download.yml |
| author | Florian Roth |
| status | experimental |
| date | 2017/03/05 |
| description | Detects suspicious PowerShell download command |
| tags | attack.execution attack.t1086 |
| Title | Suspicious PowerShell Invocations - Generic |
|---|---|
| rule_category | powershell |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/powershell/powershell_suspicious_invocation_generic.yml |
| author | Florian Roth (rule) |
| status | experimental |
| date | 2017/03/12 |
| description | Detects suspicious PowerShell invocation command parameters |
| tags | attack.execution attack.t1086 |
| Title | Suspicious PowerShell Invocations - Specific |
|---|---|
| rule_category | powershell |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/powershell/powershell_suspicious_invocation_specific.yml |
| author | Florian Roth (rule) |
| status | experimental |
| date | 2017/03/05 |
| description | Detects suspicious PowerShell invocation command parameters |
| tags | attack.execution attack.t1086 |
| Title | Suspicious PowerShell Keywords |
|---|---|
| rule_category | powershell |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/powershell/powershell_suspicious_keywords.yml |
| author | Florian Roth |
| status | experimental |
| date | 2019/02/11 |
| description | Detects keywords that could indicate the use of some PowerShell exploitation framework |
| tags | attack.execution attack.t1086 |
| Title | Winlogon Helper DLL |
|---|---|
| rule_category | powershell |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/powershell/powershell_winlogon_helper_dll.yml |
| author | Timur Zinniatullin, oscd.community |
| status | experimental |
| date | 2019/10/21 |
| description | Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Registry entries in HKLM\Software[Wow6432Node]Microsoft\Windows NT\CurrentVersion\Winlogon\ and HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ are used to manage additional helper programs and functionalities that support Winlogon. Malicious modifications to these Registry keys may cause Winlogon to load and execute malicious DLLs and/or executables. |
| tags | attack.persistence attack.t1004 |
| Title | Data Compressed - Powershell |
|---|---|
| rule_category | powershell |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/powershell/powershell_data_compressed.yml |
| author | Timur Zinniatullin, oscd.community |
| status | experimental |
| date | 2019/10/21 |
| description | An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network |
| tags | attack.exfiltration attack.t1002 |
| Title | PowerShell Downgrade Attack |
|---|---|
| rule_category | powershell |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/powershell/powershell_downgrade_attack.yml |
| author | Florian Roth (rule), Lee Holmes (idea) |
| status | experimental |
| date | 2017/03/22 |
| description | Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0 |
| tags | attack.defense_evasion attack.execution attack.t1086 |
| Title | PowerShell Called from an Executable Version Mismatch |
|---|---|
| rule_category | powershell |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/powershell/powershell_exe_calling_ps.yml |
| author | Sean Metcalf (source), Florian Roth (rule) |
| status | experimental |
| date | 2017/03/05 |
| description | Detects PowerShell called from an executable by the version mismatch method |
| tags | attack.defense_evasion attack.execution attack.t1086 |
| Title | Malicious PowerShell Commandlets |
|---|---|
| rule_category | powershell |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/powershell/powershell_malicious_commandlets.yml |
| author | Sean Metcalf (source), Florian Roth (rule) |
| status | experimental |
| date | 2017/03/05 |
| description | Detects Commandlet names from well-known PowerShell exploitation frameworks |
| tags | attack.execution attack.t1086 |
| Title | Malicious PowerShell Keywords |
|---|---|
| rule_category | powershell |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/powershell/powershell_malicious_keywords.yml |
| author | Sean Metcalf (source), Florian Roth (rule) |
| status | experimental |
| date | 2017/03/05 |
| description | Detects keywords from well-known PowerShell exploitation frameworks |
| tags | attack.execution attack.t1086 |
| Title | Malicious Nishang PowerShell Commandlets |
|---|---|
| rule_category | powershell |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/powershell/powershell_nishang_malicious_commandlets.yml |
| author | Alec Costello |
| status | experimental |
| date | 2019/05/16 |
| description | Detects Commandlet names and arguments from the Nishang exploitation framework |
| tags | attack.execution attack.t1086 |
| Title | NTFS Alternate Data Stream |
|---|---|
| rule_category | powershell |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/powershell/powershell_ntfs_ads_access.yml |
| author | Sami Ruohonen |
| status | experimental |
| date | 2018/07/24 |
| description | Detects writing data into NTFS alternate data streams from powershell. Needs Script Block Logging. |
| tags | attack.defense_evasion attack.t1096 |
| Title | PowerShell Credential Prompt |
|---|---|
| rule_category | powershell |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/powershell/powershell_prompt_credentials.yml |
| author | John Lambert (idea), Florian Roth (rule) |
| status | experimental |
| date | 2017/04/09 |
| description | Detects PowerShell calling a credential prompt |
| tags | attack.execution attack.credential_access attack.t1086 |
| Title | PowerShell PSAttack |
|---|---|
| rule_category | powershell |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/powershell/powershell_psattack.yml |
| author | Sean Metcalf (source), Florian Roth (rule) |
| status | experimental |
| date | 2017/03/05 |
| description | Detects the use of PSAttack PowerShell hack tool |
| tags | attack.execution attack.t1086 |
| Title | PowerShell ShellCode |
|---|---|
| rule_category | powershell |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/powershell/powershell_shellcode_b64.yml |
| author | David Ledbetter (shellcode), Florian Roth (rule) |
| status | experimental |
| date | 2018/11/17 |
| description | Detects Base64 encoded Shellcode |
| tags | attack.privilege_escalation attack.execution attack.t1055 attack.t1086 |
| Title | Suspicious PowerShell Download |
|---|---|
| rule_category | powershell |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/powershell/powershell_suspicious_download.yml |
| author | Florian Roth |
| status | experimental |
| date | 2017/03/05 |
| description | Detects suspicious PowerShell download command |
| tags | attack.execution attack.t1086 |
| Title | Suspicious PowerShell Invocations - Generic |
|---|---|
| rule_category | powershell |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/powershell/powershell_suspicious_invocation_generic.yml |
| author | Florian Roth (rule) |
| status | experimental |
| date | 2017/03/12 |
| description | Detects suspicious PowerShell invocation command parameters |
| tags | attack.execution attack.t1086 |
| Title | Suspicious PowerShell Invocations - Specific |
|---|---|
| rule_category | powershell |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/powershell/powershell_suspicious_invocation_specific.yml |
| author | Florian Roth (rule) |
| status | experimental |
| date | 2017/03/05 |
| description | Detects suspicious PowerShell invocation command parameters |
| tags | attack.execution attack.t1086 |
| Title | Suspicious PowerShell Keywords |
|---|---|
| rule_category | powershell |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/powershell/powershell_suspicious_keywords.yml |
| author | Florian Roth |
| status | experimental |
| date | 2019/02/11 |
| description | Detects keywords that could indicate the use of some PowerShell exploitation framework |
| tags | attack.execution attack.t1086 |
| Title | Winlogon Helper DLL |
|---|---|
| rule_category | powershell |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/powershell/powershell_winlogon_helper_dll.yml |
| author | Timur Zinniatullin, oscd.community |
| status | experimental |
| date | 2019/10/21 |
| description | Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Registry entries in HKLM\Software[Wow6432Node]Microsoft\Windows NT\CurrentVersion\Winlogon\ and HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ are used to manage additional helper programs and functionalities that support Winlogon. Malicious modifications to these Registry keys may cause Winlogon to load and execute malicious DLLs and/or executables. |
| tags | attack.persistence attack.t1004 |
| Title | Data Compressed - Powershell |
|---|---|
| rule_category | powershell |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/powershell/powershell_data_compressed.yml |
| author | Timur Zinniatullin, oscd.community |
| status | experimental |
| date | 2019/10/21 |
| description | An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network |
| tags | attack.exfiltration attack.t1002 |
| Title | PowerShell Downgrade Attack |
|---|---|
| rule_category | powershell |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/powershell/powershell_downgrade_attack.yml |
| author | Florian Roth (rule), Lee Holmes (idea) |
| status | experimental |
| date | 2017/03/22 |
| description | Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0 |
| tags | attack.defense_evasion attack.execution attack.t1086 |
| Title | PowerShell Called from an Executable Version Mismatch |
|---|---|
| rule_category | powershell |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/powershell/powershell_exe_calling_ps.yml |
| author | Sean Metcalf (source), Florian Roth (rule) |
| status | experimental |
| date | 2017/03/05 |
| description | Detects PowerShell called from an executable by the version mismatch method |
| tags | attack.defense_evasion attack.execution attack.t1086 |
| Title | Malicious PowerShell Commandlets |
|---|---|
| rule_category | powershell |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/powershell/powershell_malicious_commandlets.yml |
| author | Sean Metcalf (source), Florian Roth (rule) |
| status | experimental |
| date | 2017/03/05 |
| description | Detects Commandlet names from well-known PowerShell exploitation frameworks |
| tags | attack.execution attack.t1086 |
| Title | Malicious PowerShell Keywords |
|---|---|
| rule_category | powershell |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/powershell/powershell_malicious_keywords.yml |
| author | Sean Metcalf (source), Florian Roth (rule) |
| status | experimental |
| date | 2017/03/05 |
| description | Detects keywords from well-known PowerShell exploitation frameworks |
| tags | attack.execution attack.t1086 |
| Title | Malicious Nishang PowerShell Commandlets |
|---|---|
| rule_category | powershell |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/powershell/powershell_nishang_malicious_commandlets.yml |
| author | Alec Costello |
| status | experimental |
| date | 2019/05/16 |
| description | Detects Commandlet names and arguments from the Nishang exploitation framework |
| tags | attack.execution attack.t1086 |
| Title | NTFS Alternate Data Stream |
|---|---|
| rule_category | powershell |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/powershell/powershell_ntfs_ads_access.yml |
| author | Sami Ruohonen |
| status | experimental |
| date | 2018/07/24 |
| description | Detects writing data into NTFS alternate data streams from powershell. Needs Script Block Logging. |
| tags | attack.defense_evasion attack.t1096 |
| Title | PowerShell Credential Prompt |
|---|---|
| rule_category | powershell |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/powershell/powershell_prompt_credentials.yml |
| author | John Lambert (idea), Florian Roth (rule) |
| status | experimental |
| date | 2017/04/09 |
| description | Detects PowerShell calling a credential prompt |
| tags | attack.execution attack.credential_access attack.t1086 |
| Title | PowerShell PSAttack |
|---|---|
| rule_category | powershell |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/powershell/powershell_psattack.yml |
| author | Sean Metcalf (source), Florian Roth (rule) |
| status | experimental |
| date | 2017/03/05 |
| description | Detects the use of PSAttack PowerShell hack tool |
| tags | attack.execution attack.t1086 |
| Title | PowerShell ShellCode |
|---|---|
| rule_category | powershell |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/powershell/powershell_shellcode_b64.yml |
| author | David Ledbetter (shellcode), Florian Roth (rule) |
| status | experimental |
| date | 2018/11/17 |
| description | Detects Base64 encoded Shellcode |
| tags | attack.privilege_escalation attack.execution attack.t1055 attack.t1086 |
| Title | Suspicious PowerShell Download |
|---|---|
| rule_category | powershell |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/powershell/powershell_suspicious_download.yml |
| author | Florian Roth |
| status | experimental |
| date | 2017/03/05 |
| description | Detects suspicious PowerShell download command |
| tags | attack.execution attack.t1086 |
| Title | Suspicious PowerShell Invocations - Generic |
|---|---|
| rule_category | powershell |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/powershell/powershell_suspicious_invocation_generic.yml |
| author | Florian Roth (rule) |
| status | experimental |
| date | 2017/03/12 |
| description | Detects suspicious PowerShell invocation command parameters |
| tags | attack.execution attack.t1086 |
| Title | Suspicious PowerShell Invocations - Specific |
|---|---|
| rule_category | powershell |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/powershell/powershell_suspicious_invocation_specific.yml |
| author | Florian Roth (rule) |
| status | experimental |
| date | 2017/03/05 |
| description | Detects suspicious PowerShell invocation command parameters |
| tags | attack.execution attack.t1086 |
| Title | Suspicious PowerShell Keywords |
|---|---|
| rule_category | powershell |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/powershell/powershell_suspicious_keywords.yml |
| author | Florian Roth |
| status | experimental |
| date | 2019/02/11 |
| description | Detects keywords that could indicate the use of some PowerShell exploitation framework |
| tags | attack.execution attack.t1086 |
| Title | Winlogon Helper DLL |
|---|---|
| rule_category | powershell |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/powershell/powershell_winlogon_helper_dll.yml |
| author | Timur Zinniatullin, oscd.community |
| status | experimental |
| date | 2019/10/21 |
| description | Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Registry entries in HKLM\Software[Wow6432Node]Microsoft\Windows NT\CurrentVersion\Winlogon\ and HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ are used to manage additional helper programs and functionalities that support Winlogon. Malicious modifications to these Registry keys may cause Winlogon to load and execute malicious DLLs and/or executables. |
| tags | attack.persistence attack.t1004 |
| Title | Data Compressed - Powershell |
|---|---|
| rule_category | powershell |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/powershell/powershell_data_compressed.yml |
| author | Timur Zinniatullin, oscd.community |
| status | experimental |
| date | 2019/10/21 |
| description | An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network |
| tags | attack.exfiltration attack.t1002 |
| Title | PowerShell Downgrade Attack |
|---|---|
| rule_category | powershell |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/powershell/powershell_downgrade_attack.yml |
| author | Florian Roth (rule), Lee Holmes (idea) |
| status | experimental |
| date | 2017/03/22 |
| description | Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0 |
| tags | attack.defense_evasion attack.execution attack.t1086 |
| Title | PowerShell Called from an Executable Version Mismatch |
|---|---|
| rule_category | powershell |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/powershell/powershell_exe_calling_ps.yml |
| author | Sean Metcalf (source), Florian Roth (rule) |
| status | experimental |
| date | 2017/03/05 |
| description | Detects PowerShell called from an executable by the version mismatch method |
| tags | attack.defense_evasion attack.execution attack.t1086 |
| Title | Malicious PowerShell Commandlets |
|---|---|
| rule_category | powershell |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/powershell/powershell_malicious_commandlets.yml |
| author | Sean Metcalf (source), Florian Roth (rule) |
| status | experimental |
| date | 2017/03/05 |
| description | Detects Commandlet names from well-known PowerShell exploitation frameworks |
| tags | attack.execution attack.t1086 |
| Title | Malicious PowerShell Keywords |
|---|---|
| rule_category | powershell |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/powershell/powershell_malicious_keywords.yml |
| author | Sean Metcalf (source), Florian Roth (rule) |
| status | experimental |
| date | 2017/03/05 |
| description | Detects keywords from well-known PowerShell exploitation frameworks |
| tags | attack.execution attack.t1086 |
| Title | Malicious Nishang PowerShell Commandlets |
|---|---|
| rule_category | powershell |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/powershell/powershell_nishang_malicious_commandlets.yml |
| author | Alec Costello |
| status | experimental |
| date | 2019/05/16 |
| description | Detects Commandlet names and arguments from the Nishang exploitation framework |
| tags | attack.execution attack.t1086 |
| Title | NTFS Alternate Data Stream |
|---|---|
| rule_category | powershell |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/powershell/powershell_ntfs_ads_access.yml |
| author | Sami Ruohonen |
| status | experimental |
| date | 2018/07/24 |
| description | Detects writing data into NTFS alternate data streams from powershell. Needs Script Block Logging. |
| tags | attack.defense_evasion attack.t1096 |
| Title | PowerShell Credential Prompt |
|---|---|
| rule_category | powershell |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/powershell/powershell_prompt_credentials.yml |
| author | John Lambert (idea), Florian Roth (rule) |
| status | experimental |
| date | 2017/04/09 |
| description | Detects PowerShell calling a credential prompt |
| tags | attack.execution attack.credential_access attack.t1086 |
| Title | PowerShell PSAttack |
|---|---|
| rule_category | powershell |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/powershell/powershell_psattack.yml |
| author | Sean Metcalf (source), Florian Roth (rule) |
| status | experimental |
| date | 2017/03/05 |
| description | Detects the use of PSAttack PowerShell hack tool |
| tags | attack.execution attack.t1086 |
| Title | PowerShell ShellCode |
|---|---|
| rule_category | powershell |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/powershell/powershell_shellcode_b64.yml |
| author | David Ledbetter (shellcode), Florian Roth (rule) |
| status | experimental |
| date | 2018/11/17 |
| description | Detects Base64 encoded Shellcode |
| tags | attack.privilege_escalation attack.execution attack.t1055 attack.t1086 |
| Title | Suspicious PowerShell Download |
|---|---|
| rule_category | powershell |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/powershell/powershell_suspicious_download.yml |
| author | Florian Roth |
| status | experimental |
| date | 2017/03/05 |
| description | Detects suspicious PowerShell download command |
| tags | attack.execution attack.t1086 |
| Title | Suspicious PowerShell Invocations - Generic |
|---|---|
| rule_category | powershell |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/powershell/powershell_suspicious_invocation_generic.yml |
| author | Florian Roth (rule) |
| status | experimental |
| date | 2017/03/12 |
| description | Detects suspicious PowerShell invocation command parameters |
| tags | attack.execution attack.t1086 |
| Title | Suspicious PowerShell Invocations - Specific |
|---|---|
| rule_category | powershell |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/powershell/powershell_suspicious_invocation_specific.yml |
| author | Florian Roth (rule) |
| status | experimental |
| date | 2017/03/05 |
| description | Detects suspicious PowerShell invocation command parameters |
| tags | attack.execution attack.t1086 |
| Title | Suspicious PowerShell Keywords |
|---|---|
| rule_category | powershell |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/powershell/powershell_suspicious_keywords.yml |
| author | Florian Roth |
| status | experimental |
| date | 2019/02/11 |
| description | Detects keywords that could indicate the use of some PowerShell exploitation framework |
| tags | attack.execution attack.t1086 |
| Title | Winlogon Helper DLL |
|---|---|
| rule_category | powershell |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/powershell/powershell_winlogon_helper_dll.yml |
| author | Timur Zinniatullin, oscd.community |
| status | experimental |
| date | 2019/10/21 |
| description | Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Registry entries in HKLM\Software[Wow6432Node]Microsoft\Windows NT\CurrentVersion\Winlogon\ and HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ are used to manage additional helper programs and functionalities that support Winlogon. Malicious modifications to these Registry keys may cause Winlogon to load and execute malicious DLLs and/or executables. |
| tags | attack.persistence attack.t1004 |
| Title | Data Compressed - Powershell |
|---|---|
| rule_category | powershell |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/powershell/powershell_data_compressed.yml |
| author | Timur Zinniatullin, oscd.community |
| status | experimental |
| date | 2019/10/21 |
| description | An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network |
| tags | attack.exfiltration attack.t1002 |
| Title | PowerShell Downgrade Attack |
|---|---|
| rule_category | powershell |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/powershell/powershell_downgrade_attack.yml |
| author | Florian Roth (rule), Lee Holmes (idea) |
| status | experimental |
| date | 2017/03/22 |
| description | Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0 |
| tags | attack.defense_evasion attack.execution attack.t1086 |
| Title | PowerShell Called from an Executable Version Mismatch |
|---|---|
| rule_category | powershell |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/powershell/powershell_exe_calling_ps.yml |
| author | Sean Metcalf (source), Florian Roth (rule) |
| status | experimental |
| date | 2017/03/05 |
| description | Detects PowerShell called from an executable by the version mismatch method |
| tags | attack.defense_evasion attack.execution attack.t1086 |
| Title | Malicious PowerShell Commandlets |
|---|---|
| rule_category | powershell |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/powershell/powershell_malicious_commandlets.yml |
| author | Sean Metcalf (source), Florian Roth (rule) |
| status | experimental |
| date | 2017/03/05 |
| description | Detects Commandlet names from well-known PowerShell exploitation frameworks |
| tags | attack.execution attack.t1086 |
| Title | Malicious PowerShell Keywords |
|---|---|
| rule_category | powershell |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/powershell/powershell_malicious_keywords.yml |
| author | Sean Metcalf (source), Florian Roth (rule) |
| status | experimental |
| date | 2017/03/05 |
| description | Detects keywords from well-known PowerShell exploitation frameworks |
| tags | attack.execution attack.t1086 |
| Title | Malicious Nishang PowerShell Commandlets |
|---|---|
| rule_category | powershell |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/powershell/powershell_nishang_malicious_commandlets.yml |
| author | Alec Costello |
| status | experimental |
| date | 2019/05/16 |
| description | Detects Commandlet names and arguments from the Nishang exploitation framework |
| tags | attack.execution attack.t1086 |
| Title | NTFS Alternate Data Stream |
|---|---|
| rule_category | powershell |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/powershell/powershell_ntfs_ads_access.yml |
| author | Sami Ruohonen |
| status | experimental |
| date | 2018/07/24 |
| description | Detects writing data into NTFS alternate data streams from powershell. Needs Script Block Logging. |
| tags | attack.defense_evasion attack.t1096 |
| Title | PowerShell Credential Prompt |
|---|---|
| rule_category | powershell |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/powershell/powershell_prompt_credentials.yml |
| author | John Lambert (idea), Florian Roth (rule) |
| status | experimental |
| date | 2017/04/09 |
| description | Detects PowerShell calling a credential prompt |
| tags | attack.execution attack.credential_access attack.t1086 |
| Title | PowerShell PSAttack |
|---|---|
| rule_category | powershell |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/powershell/powershell_psattack.yml |
| author | Sean Metcalf (source), Florian Roth (rule) |
| status | experimental |
| date | 2017/03/05 |
| description | Detects the use of PSAttack PowerShell hack tool |
| tags | attack.execution attack.t1086 |
| Title | PowerShell ShellCode |
|---|---|
| rule_category | powershell |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/powershell/powershell_shellcode_b64.yml |
| author | David Ledbetter (shellcode), Florian Roth (rule) |
| status | experimental |
| date | 2018/11/17 |
| description | Detects Base64 encoded Shellcode |
| tags | attack.privilege_escalation attack.execution attack.t1055 attack.t1086 |
| Title | Suspicious PowerShell Download |
|---|---|
| rule_category | powershell |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/powershell/powershell_suspicious_download.yml |
| author | Florian Roth |
| status | experimental |
| date | 2017/03/05 |
| description | Detects suspicious PowerShell download command |
| tags | attack.execution attack.t1086 |
| Title | Suspicious PowerShell Invocations - Generic |
|---|---|
| rule_category | powershell |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/powershell/powershell_suspicious_invocation_generic.yml |
| author | Florian Roth (rule) |
| status | experimental |
| date | 2017/03/12 |
| description | Detects suspicious PowerShell invocation command parameters |
| tags | attack.execution attack.t1086 |
| Title | Suspicious PowerShell Invocations - Specific |
|---|---|
| rule_category | powershell |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/powershell/powershell_suspicious_invocation_specific.yml |
| author | Florian Roth (rule) |
| status | experimental |
| date | 2017/03/05 |
| description | Detects suspicious PowerShell invocation command parameters |
| tags | attack.execution attack.t1086 |
| Title | Suspicious PowerShell Keywords |
|---|---|
| rule_category | powershell |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/powershell/powershell_suspicious_keywords.yml |
| author | Florian Roth |
| status | experimental |
| date | 2019/02/11 |
| description | Detects keywords that could indicate the use of some PowerShell exploitation framework |
| tags | attack.execution attack.t1086 |
| Title | Winlogon Helper DLL |
|---|---|
| rule_category | powershell |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/powershell/powershell_winlogon_helper_dll.yml |
| author | Timur Zinniatullin, oscd.community |
| status | experimental |
| date | 2019/10/21 |
| description | Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Registry entries in HKLM\Software[Wow6432Node]Microsoft\Windows NT\CurrentVersion\Winlogon\ and HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ are used to manage additional helper programs and functionalities that support Winlogon. Malicious modifications to these Registry keys may cause Winlogon to load and execute malicious DLLs and/or executables. |
| tags | attack.persistence attack.t1004 |
| Title | Data Compressed - Powershell |
|---|---|
| rule_category | powershell |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/powershell/powershell_data_compressed.yml |
| author | Timur Zinniatullin, oscd.community |
| status | experimental |
| date | 2019/10/21 |
| description | An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network |
| tags | attack.exfiltration attack.t1002 |
| Title | PowerShell Downgrade Attack |
|---|---|
| rule_category | powershell |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/powershell/powershell_downgrade_attack.yml |
| author | Florian Roth (rule), Lee Holmes (idea) |
| status | experimental |
| date | 2017/03/22 |
| description | Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0 |
| tags | attack.defense_evasion attack.execution attack.t1086 |
| Title | PowerShell Called from an Executable Version Mismatch |
|---|---|
| rule_category | powershell |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/powershell/powershell_exe_calling_ps.yml |
| author | Sean Metcalf (source), Florian Roth (rule) |
| status | experimental |
| date | 2017/03/05 |
| description | Detects PowerShell called from an executable by the version mismatch method |
| tags | attack.defense_evasion attack.execution attack.t1086 |
| Title | Malicious PowerShell Commandlets |
|---|---|
| rule_category | powershell |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/powershell/powershell_malicious_commandlets.yml |
| author | Sean Metcalf (source), Florian Roth (rule) |
| status | experimental |
| date | 2017/03/05 |
| description | Detects Commandlet names from well-known PowerShell exploitation frameworks |
| tags | attack.execution attack.t1086 |
| Title | Malicious PowerShell Keywords |
|---|---|
| rule_category | powershell |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/powershell/powershell_malicious_keywords.yml |
| author | Sean Metcalf (source), Florian Roth (rule) |
| status | experimental |
| date | 2017/03/05 |
| description | Detects keywords from well-known PowerShell exploitation frameworks |
| tags | attack.execution attack.t1086 |
| Title | Malicious Nishang PowerShell Commandlets |
|---|---|
| rule_category | powershell |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/powershell/powershell_nishang_malicious_commandlets.yml |
| author | Alec Costello |
| status | experimental |
| date | 2019/05/16 |
| description | Detects Commandlet names and arguments from the Nishang exploitation framework |
| tags | attack.execution attack.t1086 |
| Title | NTFS Alternate Data Stream |
|---|---|
| rule_category | powershell |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/powershell/powershell_ntfs_ads_access.yml |
| author | Sami Ruohonen |
| status | experimental |
| date | 2018/07/24 |
| description | Detects writing data into NTFS alternate data streams from powershell. Needs Script Block Logging. |
| tags | attack.defense_evasion attack.t1096 |
| Title | PowerShell Credential Prompt |
|---|---|
| rule_category | powershell |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/powershell/powershell_prompt_credentials.yml |
| author | John Lambert (idea), Florian Roth (rule) |
| status | experimental |
| date | 2017/04/09 |
| description | Detects PowerShell calling a credential prompt |
| tags | attack.execution attack.credential_access attack.t1086 |
| Title | PowerShell PSAttack |
|---|---|
| rule_category | powershell |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/powershell/powershell_psattack.yml |
| author | Sean Metcalf (source), Florian Roth (rule) |
| status | experimental |
| date | 2017/03/05 |
| description | Detects the use of PSAttack PowerShell hack tool |
| tags | attack.execution attack.t1086 |
| Title | PowerShell ShellCode |
|---|---|
| rule_category | powershell |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/powershell/powershell_shellcode_b64.yml |
| author | David Ledbetter (shellcode), Florian Roth (rule) |
| status | experimental |
| date | 2018/11/17 |
| description | Detects Base64 encoded Shellcode |
| tags | attack.privilege_escalation attack.execution attack.t1055 attack.t1086 |
| Title | Suspicious PowerShell Download |
|---|---|
| rule_category | powershell |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/powershell/powershell_suspicious_download.yml |
| author | Florian Roth |
| status | experimental |
| date | 2017/03/05 |
| description | Detects suspicious PowerShell download command |
| tags | attack.execution attack.t1086 |
| Title | Suspicious PowerShell Invocations - Generic |
|---|---|
| rule_category | powershell |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/powershell/powershell_suspicious_invocation_generic.yml |
| author | Florian Roth (rule) |
| status | experimental |
| date | 2017/03/12 |
| description | Detects suspicious PowerShell invocation command parameters |
| tags | attack.execution attack.t1086 |
| Title | Suspicious PowerShell Invocations - Specific |
|---|---|
| rule_category | powershell |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/powershell/powershell_suspicious_invocation_specific.yml |
| author | Florian Roth (rule) |
| status | experimental |
| date | 2017/03/05 |
| description | Detects suspicious PowerShell invocation command parameters |
| tags | attack.execution attack.t1086 |
| Title | Suspicious PowerShell Keywords |
|---|---|
| rule_category | powershell |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/powershell/powershell_suspicious_keywords.yml |
| author | Florian Roth |
| status | experimental |
| date | 2019/02/11 |
| description | Detects keywords that could indicate the use of some PowerShell exploitation framework |
| tags | attack.execution attack.t1086 |
| Title | Winlogon Helper DLL |
|---|---|
| rule_category | powershell |
| rule_url | https://github.com/Neo23x0/sigma/blob/master/rules/windows/powershell/powershell_winlogon_helper_dll.yml |
| author | Timur Zinniatullin, oscd.community |
| status | experimental |
| date | 2019/10/21 |
| description | Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Registry entries in HKLM\Software[Wow6432Node]Microsoft\Windows NT\CurrentVersion\Winlogon\ and HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ are used to manage additional helper programs and functionalities that support Winlogon. Malicious modifications to these Registry keys may cause Winlogon to load and execute malicious DLLs and/or executables. |
| tags | attack.persistence attack.t1004 |