as the \"selection_cmdlet\" is common in scripts the matching engine might slow down the search. change into regex or a more accurate string to avoid heavy resource consumption if experienced

t1518
t1518.001
windows
sigma

Techniques

t1518
t1518.001

Sample rules

Security Software Discovery Via Powershell Script

source: sigma
technicques:
- t1518
- t1518.001

Description

Detects calls to “get-process” where the output is piped to a “where-object” filter to search for security solution processes. Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus

Detection logic

condition: all of selection_*
selection_cmdlet:
  ScriptBlockText|contains:
  - get-process | \?
  - get-process | where
  - gps | \?
  - gps | where
selection_field:
  ScriptBlockText|contains:
  - Company -like
  - Description -like
  - Name -like
  - Path -like
  - Product -like
selection_keywords:
  ScriptBlockText|contains:
  - \*avira\*
  - \*carbonblack\*
  - \*cylance\*
  - \*defender\*
  - \*kaspersky\*
  - \*malware\*
  - \*sentinel\*
  - \*symantec\*
  - \*virus\*