Product
PowerShell Kerberos Ticket Dumping via LSA Authentication Package Access
2 rules 1 TTPDetection of PowerShell scripts attempting to dump Kerberos tickets from memory by accessing LSA authentication packages, potentially leading to credential access and lateral movement.
PowerShell Share Enumeration via ShareFinder or Native APIs
2 rules 1 TTPDetection of PowerShell scripts employing ShareFinder functions or Windows share enumeration APIs to discover accessible network shares for reconnaissance, lateral movement, or ransomware deployment.
Incoming Execution via PowerShell Remoting
2 rules 2 TTPsThis rule identifies remote execution via Windows PowerShell remoting, which allows a user to run any Windows PowerShell command on one or more remote computers, potentially indicating lateral movement.
PowerShell P/Invoke Process Injection API Chain Detection
2 rules 8 TTPsThis analytic detects PowerShell code that uses P/Invoke to call Windows API functions associated with process injection, such as VirtualAlloc, WriteProcessMemory, and CreateRemoteThread, indicating potential malicious activity.
Remote File Download via PowerShell
2 rules 2 TTPsDetects PowerShell being used to download executable files from untrusted remote destinations, a common technique for attackers to introduce tooling or malware into a compromised environment.
PowerShell P/Invoke API Chain for Process Injection
3 rules 7 TTPsThis brief details detection of PowerShell scripts leveraging P/Invoke API calls to perform process injection, covering techniques like self-injection, remote thread injection, APC injection, thread-context hijacking, process hollowing, section-map injection, reflective DLL loading, and DLL injection.
PowerShell Obfuscation via String Concatenation
2 rules 1 TTPThis rule detects PowerShell scripts employing string concatenation to evade static analysis and AMSI by fragmenting keywords or URLs at runtime.
PowerShell MiniDump Script Detection
2 rules 1 TTPThis brief detects PowerShell scripts that reference MiniDumpWriteDump or full-memory minidump types, potentially used to capture process memory from credential-bearing processes like LSASS.
PowerShell Loading .NET Assemblies via Reflection
2 rules 1 TTPThis analytic detects PowerShell scripts leveraging .NET reflection to load assemblies into memory, a technique commonly used by threat actors to bypass defenses and execute malicious code.
PowerShell Obfuscation via Backtick-Escaped Variable Expansion
2 rules 1 TTPPowerShell scripts use backtick-escaped characters inside `${}` variable expansion to reconstruct strings at runtime, enabling attackers to split keywords, hide commands, and evade static analysis and AMSI.