EXPLORE DETECTIONS
PowerShell as a Service in Registry
Detects that a powershell code is written to the registry as a service.
PowerShell Base64 Encoded FromBase64String Cmdlet
Detects usage of a base64 encoded "FromBase64String" cmdlet in a process command line
PowerShell Base64 Encoded IEX Cmdlet
Detects usage of a base64 encoded "IEX" cmdlet in a process command line
PowerShell Base64 Encoded Invoke Keyword
Detects UTF-8 and UTF-16 Base64 encoded powershell 'Invoke-' calls
Powershell Base64 Encoded MpPreference Cmdlet
Detects base64 encoded "MpPreference" PowerShell cmdlet code that tries to modifies or tamper with Windows Defender AV
PowerShell Base64 Encoded Reflective Assembly Load
Detects base64 encoded .NET reflective loading of Assembly
PowerShell Base64 Encoded WMI Classes
Detects calls to base64 encoded WMI class such as "Win32_ShadowCopy", "Win32_ScheduledJob", etc.
PowerShell Called from an Executable Version Mismatch
Detects PowerShell called from an executable by the version mismatch method
PowerShell Console History Logs Deleted
Detects the deletion of the PowerShell console History logs which may indicate an attempt to destroy forensic evidence
PowerShell Core DLL Loaded By Non PowerShell Process
Detects loading of essential DLLs used by PowerShell by non-PowerShell process. Detects behavior similar to meterpreter's "load powershell" extension.
PowerShell Core DLL Loaded Via Office Application
Detects PowerShell core DLL being loaded by an Office Product
PowerShell Create Local User
Detects creation of a local user via PowerShell
Powershell Create Scheduled Task
Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code
PowerShell Credential Prompt
Detects PowerShell calling a credential prompt
PowerShell Decompress Commands
A General detection for specific decompress commands in PowerShell logs. This could be an adversary decompressing files.
Powershell Defender Disable Scan Feature
Detects requests to disable Microsoft Defender features using PowerShell commands
Powershell Defender Exclusion
Detects requests to exclude files, folders or processes from Antivirus scanning using PowerShell cmdlets
PowerShell Defender Threat Severity Default Action Set to 'Allow' or 'NoAction'
Detects the use of PowerShell to execute the 'Set-MpPreference' cmdlet to configure Windows Defender's threat severity default action to 'Allow' (value '6') or 'NoAction' (value '9'). This is a highly suspicious configuration change that effectively disables Defender's ability to automatically mitigate threats of a certain severity level. An attacker might use this technique via the command line to bypass defenses before executing payloads.
PowerShell Deleted Mounted Share
Detects when when a mounted share is removed. Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation
Powershell Detect Virtualization Environment
Adversaries may employ various system checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox
Powershell Directory Enumeration
Detects technique used by MAZE ransomware to enumerate directories using Powershell
Powershell DNSExfiltration
DNSExfiltrator allows for transferring (exfiltrate) a file over a DNS request covert channel
PowerShell Downgrade Attack - PowerShell
Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0
PowerShell Download and Execution Cradles
Detects PowerShell download and execution cradles.