Techniques
Sample rules
New BITS Job Created Via PowerShell
- source: sigma
- technicques:
- t1197
Description
Detects the creation of a new bits job by PowerShell
Detection logic
condition: selection
selection:
EventID: 3
processPath|endswith:
- \powershell.exe
- \pwsh.exe
Suspicious Computer Machine Password by PowerShell
- source: sigma
- technicques:
- t1078
Description
The Reset-ComputerMachinePassword cmdlet changes the computer account password that the computers use to authenticate to the domain controllers in the domain. You can use it to reset the password of the local computer.
Detection logic
condition: selection
selection:
ContextInfo|contains: Reset-ComputerMachinePassword