EXPLORE DETECTIONS
PowerShell Download Pattern
Detects a Powershell process that contains download commands in its command line string
Powershell Execute Batch Script
Adversaries may abuse the Windows command shell for execution. The Windows command shell ([cmd](https://attack.mitre.org/software/S0106)) is the primary command prompt on Windows systems. The Windows command prompt can be used to control almost any aspect of a system, with various permission levels required for different subsets of commands. Batch files (ex: .bat or .cmd) also provide the shell with a list of sequential commands to run, as well as normal scripting operations such as conditionals and loops. Common uses of batch files include long or repetitive tasks, or the need to run the same set of commands on multiple system
Powershell Executed From Headless ConHost Process
Detects the use of powershell commands from headless ConHost window. The "--headless" flag hides the windows from the user upon execution.
PowerShell Execution With Potential Decryption Capabilities
Detects PowerShell commands that decrypt an ".LNK" "file to drop the next stage of the malware.
PowerShell Get Clipboard
A General detection for the Get-Clipboard commands in PowerShell logs. This could be an adversary capturing clipboard contents.
PowerShell Get-Clipboard Cmdlet Via CLI
Detects usage of the 'Get-Clipboard' cmdlet via CLI
PowerShell Get-Process LSASS
Detects a "Get-Process" cmdlet and it's aliases on lsass process, which is in almost all cases a sign of malicious activity
PowerShell Get-Process LSASS in ScriptBlock
Detects a Get-Process command on lsass process, which is in almost all cases a sign of malicious activity
PowerShell Hotfix Enumeration
Detects call to "Win32_QuickFixEngineering" in order to enumerate installed hotfixes often used in "enum" scripts by attackers
PowerShell ICMP Exfiltration
Detects Exfiltration Over Alternative Protocol - ICMP. Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel.
Powershell Inline Execution From A File
Detects inline execution of PowerShell code from a file
Powershell Install a DLL in System Directory
Uses PowerShell to install/copy a file into a system directory such as "System32" or "SysWOW64"
Powershell Keylogging
Adversaries may log user keystrokes to intercept credentials as the user types them.
Powershell Local Email Collection
Adversaries may target user email on local systems to collect sensitive information. Files containing email data can be acquired from a users local system, such as Outlook storage or cache files.
Powershell LocalAccount Manipulation
Adversaries may manipulate accounts to maintain access to victim systems. Account manipulation may consist of any action that preserves adversary access to a compromised account, such as modifying credentials or permission groups
PowerShell Logging Disabled Via Registry Key Tampering
Detects changes to the registry for the currently logged-in user. In order to disable PowerShell module logging, script block logging or transcription and script execution logging
PowerShell Module File Created
Detects the creation of a new PowerShell module ".psm1", ".psd1", ".dll", ".ps1", etc.
PowerShell Module File Created By Non-PowerShell Process
Detects the creation of a new PowerShell module ".psm1", ".psd1", ".dll", ".ps1", etc. by a non-PowerShell process
PowerShell MSI Install via WindowsInstaller COM From Remote Location
Detects the execution of PowerShell commands that attempt to install MSI packages via the Windows Installer COM object (`WindowsInstaller.Installer`) hosted remotely. This could be indication of malicious software deployment or lateral movement attempts using Windows Installer functionality. And the usage of WindowsInstaller COM object rather than msiexec could be an attempt to bypass the detection.
Powershell MsXml COM Object
Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell) Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code
PowerShell Profile Modification
Detects the creation or modification of a powershell profile which could indicate suspicious activity as the profile can be used as a mean of persistence
PowerShell PSAttack
Detects the use of PSAttack PowerShell hack tool
PowerShell Remote Session Creation
Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system
PowerShell SAM Copy
Detects suspicious PowerShell scripts accessing SAM hives