Sponsor of the Day:
Jerkmate
https://detection.fyi/sigmahq/sigma/windows/powershell/powershell_script/posh_ps_computer_discovery_get_adcomputer/
Computer Discovery And Export Via Get-ADComputer Cmdlet - PowerShell | Detection.FYI
Detects usage of the Get-ADComputer cmdlet to collect computer information and output it to a file
powershell detection fyicomputerdiscoveryexportvia
https://detection.fyi/sigmahq/sigma/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_rundll32/
Invoke-Obfuscation Via Use Rundll32 - PowerShell | Detection.FYI
Detects Obfuscated Powershell via use Rundll32 in Scripts
invoke obfuscation viapowershell detection fyiuserundll32
https://detection.fyi/sigmahq/sigma/windows/powershell/powershell_script/posh_ps_susp_local_group_reco/
Suspicious Get Local Groups Information - PowerShell | Detection.FYI
Detects the use of PowerShell modules and cmdlets to gather local group information. Adversaries may use local system permission groups to determine which …
powershell detection fyiget localgroups informationsuspicious
https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_agentexecutor_potential_abuse/
AgentExecutor PowerShell Execution | Detection.FYI
Detects execution of the AgentExecutor.exe binary. Which can be abused as a LOLBIN to execute powershell scripts with the ExecutionPolicy
execution detection fyipowershell
https://detection.fyi/sigmahq/sigma/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_obfuscated_iex/
Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell Module | Detection.FYI
Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block cited in the reference...
powershell module detectioninvoke obfuscationobfuscatediexinvocation
https://detection.fyi/sigmahq/sigma/windows/file/file_event/file_event_win_susp_vscode_powershell_profile/
VsCode Powershell Profile Modification | Detection.FYI
Detects the creation or modification of a vscode related powershell profile which could indicate suspicious activity as the profile can be used as a mean of …
modification detection fyivscodepowershellprofile
https://detection.fyi/sigmahq/sigma/windows/powershell/powershell_module/posh_pm_syncappvpublishingserver_exe/
SyncAppvPublishingServer Bypass Powershell Restriction - PS Module | Detection.FYI
Detects SyncAppvPublishingServer process execution which usually utilized by adversaries to bypass PowerShell execution restrictions.
module detection fyibypasspowershellrestrictionps
https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_powershell_invocation_specific/
Suspicious PowerShell Invocations - Specific - ProcessCreation | Detection.FYI
Detects suspicious PowerShell invocation command parameters
detection fyisuspiciouspowershellinvocationsspecific
https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_mssql_sqltoolsps_susp_execution/
SQL Client Tools PowerShell Session Detection | Detection.FYI
This rule detects execution of a PowerShell code through the sqltoolsps.exe utility, which is included in the standard set of utilities supplied with the …
sql clientdetection fyitoolspowershellsession
https://detection.fyi/sigmahq/sigma/windows/powershell/powershell_script/posh_ps_potential_invoke_mimikatz/
Potential Invoke-Mimikatz PowerShell Script | Detection.FYI
Detects Invoke-Mimikatz PowerShell script and alike. Mimikatz is a credential dumper capable of obtaining plaintext Windows account logins and passwords.
script detection fyipotentialinvokemimikatzpowershell
https://detection.fyi/sigmahq/sigma/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_rundll32/
Invoke-Obfuscation Via Use Rundll32 - PowerShell Module | Detection.FYI
Detects Obfuscated Powershell via use Rundll32 in Scripts
invoke obfuscation viapowershell module detectionuserundll32fyi
https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_schtasks_curl_and_powershell_combo/
Scheduled Task Creation with Curl and PowerShell Execution Combo | Detection.FYI
Detects the creation of a scheduled task using schtasks.exe, potentially in combination with curl for downloading payloads and PowerShell for executing them. …
scheduled taskdetection fyicreationcurlpowershell
https://detection.fyi/sigmahq/sigma/web/proxy_generic/proxy_ua_powershell/
Windows PowerShell User Agent | Detection.FYI
Detects Windows PowerShell Web Access
user agent detectionwindows powershellfyi
https://detection.fyi/sigmahq/sigma/windows/powershell/powershell_classic/posh_pc_remote_powershell_session/
Remote PowerShell Session (PS Classic) | Detection.FYI
Detects remote PowerShell sessions
detection fyiremotepowershellsessionps
https://detection.fyi/sigmahq/sigma/windows/powershell/powershell_classic/posh_pc_susp_zip_compress/
Zip A Folder With PowerShell For Staging In Temp - PowerShell | Detection.FYI
Detects PowerShell scripts that make use of the
detection fyizipfolderpowershellstaging
https://detection.fyi/joesecurity/sigma-rules/powershelldownloadpayloadfromhardcodedc2list/
Powershell download payload from hardcoded c2 list | Detection.FYI
Powershell download payload from hardcoded c2 list
detection fyipowershelldownloadpayloadhardcoded
https://detection.fyi/joesecurity/sigma-rules/powershellcreatelnkinstartup/
Powershell create lnk in startup | Detection.FYI
Powershell create lnk in startup
startup detection fyipowershellcreatelnk
https://detection.fyi/sigmahq/sigma/windows/powershell/powershell_module/posh_pm_susp_download/
Suspicious PowerShell Download - PoshModule | Detection.FYI
Detects suspicious PowerShell download command
detection fyisuspiciouspowershelldownload
https://detection.fyi/sigmahq/sigma/windows/powershell/powershell_module/posh_pm_remotefxvgpudisablement_abuse/
Potential RemoteFXvGPUDisablement.EXE Abuse - PowerShell Module | Detection.FYI
Detects PowerShell module creation where the module Contents are set to
powershell module detectionpotentialexeabusefyi
https://detection.fyi/mbabinski/sigma-rules/2024_cicada3301_ransomware/proc_creation_win_hyperv_stopvm/
Hyper-V Virtual Machine Discovery Shutdown via Powershell Cmdlets | Detection.FYI
Detects powershell process used to find and shut down local Hyper-V VMs using the Stop-VM cmdlet, as documented in the 2024 Morphisec report on Cicada3301 …
hyper v virtualvia powershelldetection fyimachinediscovery
https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_powershell_base64_frombase64string/
PowerShell Base64 Encoded FromBase64String Cmdlet | Detection.FYI
Detects usage of a base64 encoded
base64 encodeddetection fyipowershellcmdlet
https://detection.fyi/sigmahq/sigma/windows/file/file_event/file_event_win_powershell_module_creation/
PowerShell Module File Created | Detection.FYI
Detects the creation of a new PowerShell module
powershell modulefile createddetection fyi
https://detection.fyi/sigmahq/sigma/windows/powershell/powershell_script/posh_ps_powerview_malicious_commandlets/
PowerView PowerShell Cmdlets - ScriptBlock | Detection.FYI
Detects Cmdlet names from PowerView of the PowerSploit exploitation framework.
powershell cmdletsdetection fyi
https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_hktl_empire_powershell_launch/
HackTool - Empire PowerShell Launch Parameters | Detection.FYI
Detects suspicious powershell command line parameters used in Empire
detection fyihacktoolempirepowershelllaunch
https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_powershell_base64_wmi_classes/
PowerShell Base64 Encoded WMI Classes | Detection.FYI
Detects calls to base64 encoded WMI class such as
base64 encodeddetection fyipowershellwmiclasses