Powershell

This detection identifies potentially obfuscated PowerShell scripts based on high entropy and non-uniform character distributions, often used by attackers to evade signature-based detections and hinder analysis.

This rule identifies the execution of PowerShell with suspicious argument values, often observed during malware installation, by detecting unusual PowerShell arguments indicative of abuse, focusing on patterns like encoded commands, suspicious downloads, and obfuscation techniques.

An improper input validation vulnerability (CVE-2026-26143) in Microsoft PowerShell allows an unauthorized local attacker to bypass security features.

Adversaries may leverage Powercat, a PowerShell implementation of Netcat, to establish command and control channels or perform lateral movement within a compromised network.

This rule detects PowerShell scripts associated with NTLM relay or pass-the-hash tooling and SMB/NTLM negotiation artifacts, indicating potential credential access and lateral movement attempts by attackers.

Detects potential credential decryption operations by PowerShell or unsigned processes using the Veeam.Backup.Common.dll library, indicating potential credential access attempts to target backups as part of destructive operations.

Adversaries may clear the command history of a compromised account to conceal the actions undertaken during an intrusion on a Windows system.

Detection of PowerShell scripts attempting to dump Kerberos tickets from memory by accessing LSA authentication packages, potentially leading to credential access and lateral movement.

This detection identifies PowerShell scripts leveraging Win32 APIs for memory allocation, process access, and thread creation, indicative of potential process injection or in-memory payload execution on Windows systems.

This rule detects PowerShell scripts that attempt to bypass the Antimalware Scan Interface (AMSI) in order to disable scanning and execute malicious PowerShell code undetected.

Detection of PowerShell scripts employing ShareFinder functions or Windows share enumeration APIs to discover accessible network shares for reconnaissance, lateral movement, or ransomware deployment.

The Invoke-NinjaCopy PowerShell script is used by attackers to directly access volume files, such as NTDS.dit or registry hives, for credential dumping.

Attackers may disable PowerShell Script Block Logging by modifying the registry to conceal their activities on the host and evade detection by setting the `EnableScriptBlockLogging` registry value to 0, impacting security monitoring and incident response capabilities.

Attackers use PowerShell commands, including base64-encoded variants, to disable or weaken Windows Defender settings, impairing defenses on compromised systems.

This rule identifies remote execution via Windows PowerShell remoting, which allows a user to run any Windows PowerShell command on one or more remote computers, potentially indicating lateral movement.

This analytic detects PowerShell code that uses P/Invoke to call Windows API functions associated with process injection, such as VirtualAlloc, WriteProcessMemory, and CreateRemoteThread, indicating potential malicious activity.

The analytic detects suspicious PowerShell script execution involving the cryptography namespace (excluding SHA and MD5) via EventCode 4104, often associated with malware that decrypts or decodes additional malicious payloads leading to further code execution, privilege escalation, or persistence.

Detects PowerShell scripts employing Base64 decoding combined with .NET decompression (Deflate/GZip) to deobfuscate and reconstruct malicious payloads in memory, evading traditional defenses.

This brief outlines detection strategies for adversaries leveraging Invoke-Obfuscation techniques within PowerShell scripts executed via standard input, a method commonly used to evade traditional detection mechanisms.

Detects PowerShell being used to download executable files from untrusted remote destinations, a common technique for attackers to introduce tooling or malware into a compromised environment.

This rule detects PowerShell scripts that build commands from concatenated string literals within dynamic invocation constructs, a technique used by attackers to obscure execution intent, bypass keyword-based detections, and evade AMSI.

Detection of PowerShell processes launched by cscript.exe or wscript.exe, indicative of potential malicious initial access or execution attempts.

This rule identifies instances where the PowerShell engine is loaded by processes other than powershell.exe, potentially indicating attackers attempting to use PowerShell functionality stealthily by using the underlying System.Management.Automation namespace and bypassing PowerShell security features.

Attackers may disable the Windows firewall or its rules using the `Set-NetFirewallProfile` PowerShell cmdlet to enable lateral movement and command and control activity.

Adversaries may attempt to bypass Windows Defender's capabilities by using PowerShell to add exclusions for folders or processes, and this activity can be detected by monitoring PowerShell command lines that use `Add-MpPreference` or `Set-MpPreference` with exclusion parameters.

Adversaries employ token obfuscation techniques within PowerShell commands to evade detection by security tools, leveraging methods such as character insertion, string concatenation, and environment variable manipulation to mask their malicious intent.

PowerShell scripts employing .NET cryptography APIs are used to encrypt data for impact or decrypt payloads for defense evasion.

This brief details detection of PowerShell scripts leveraging P/Invoke API calls to perform process injection, covering techniques like self-injection, remote thread injection, APC injection, thread-context hijacking, process hollowing, section-map injection, reflective DLL loading, and DLL injection.

This rule detects PowerShell scripts employing string concatenation to evade static analysis and AMSI by fragmenting keywords or URLs at runtime.

Detects PowerShell scripts using character array reconstruction to hide commands, URLs, or payloads, evading static analysis and AMSI.

This brief detects PowerShell scripts that reference MiniDumpWriteDump or full-memory minidump types, potentially used to capture process memory from credential-bearing processes like LSASS.

This rule detects PowerShell scripts heavily obfuscated with whitespace and special characters, often used to evade static analysis and AMSI, by identifying scripts with low symbol diversity and a high proportion of whitespace and special characters.

The rule detects the use of the Exchange PowerShell cmdlet, Set-CASMailbox, to add a new ActiveSync allowed device, potentially allowing attackers to gain persistent access to sensitive email data by adding unauthorized devices.

Attackers use Invoke-Obfuscation, a PowerShell obfuscation framework, to generate obfuscated IEX (Invoke-Expression) commands, evading detection and executing malicious code.

Adversaries may use the New-MailboxExportRequest PowerShell cmdlet to export mailboxes in Exchange, potentially leading to sensitive information theft.

This analytic detects PowerShell scripts leveraging .NET reflection to load assemblies into memory, a technique commonly used by threat actors to bypass defenses and execute malicious code.

Adversaries use PowerShell to execute malicious code stored in environment variables, leveraging Invoke-Expression or its aliases to bypass static analysis and execute payloads dynamically, as seen in malware loaders and stagers like the VIP Keylogger.

Attackers can modify PowerShell profiles to inject malicious code that executes each time PowerShell starts, establishing persistence on a Windows system.

Detection of suspicious PowerShell activity using Windows Management Instrumentation (WMI) to gather system information, indicative of reconnaissance efforts by adversaries potentially leading to further exploitation or lateral movement.

This rule detects the use of Invoke-Mimikatz or Mimikatz commands within PowerShell scripts to dump credentials, extract password stores, export certificates, or use alternate authentication material, indicating potential in-memory credential access.

Attackers use PowerShell commands like Set-MpPreference or Add-MpPreference, often with base64 encoding, to disable or weaken Windows Defender security settings in order to evade detection and execute malicious payloads.

PowerShell scripts use backtick-escaped characters inside `${}` variable expansion to reconstruct strings at runtime, enabling attackers to split keywords, hide commands, and evade static analysis and AMSI.