Techniques
Sample rules
Security Software Discovery Via Powershell Script
- source: sigma
- technicques:
- t1518
- t1518.001
Description
Detects calls to “get-process” where the output is piped to a “where-object” filter to search for security solution processes. Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus
Detection logic
condition: all of selection_*
selection_cmdlet:
ScriptBlockText|contains:
- get-process | \?
- get-process | where
- gps | \?
- gps | where
selection_field:
ScriptBlockText|contains:
- Company -like
- Description -like
- Name -like
- Path -like
- Product -like
selection_keywords:
ScriptBlockText|contains:
- \*avira\*
- \*carbonblack\*
- \*cylance\*
- \*defender\*
- \*kaspersky\*
- \*malware\*
- \*sentinel\*
- \*symantec\*
- \*virus\*