LoFP / legitimate usage of the capabilities by administrators or users. add additional filters accordingly.

Techniques

Sample rules

Add Windows Capability Via PowerShell Cmdlet

• source: sigma
• technicques:

Description

Detects usage of the “Add-WindowsCapability” cmdlet to add Windows capabilities. Notable capabilities could be “OpenSSH” and others.

Detection logic

condition: all of selection_*
selection_capa:
  CommandLine|contains: OpenSSH.
selection_cmdlet:
  CommandLine|contains: Add-WindowsCapability
selection_img:
- Image|endswith:
  - \powershell.exe
  - \pwsh.exe
- OriginalFileName:
  - PowerShell.EXE
  - pwsh.dll

Add Windows Capability Via PowerShell Script

• source: sigma
• technicques:

Description

Detects usage of the “Add-WindowsCapability” cmdlet to add Windows capabilities. Notable capabilities could be “OpenSSH” and others.

Detection logic

condition: all of selection_*
selection_capa:
  ScriptBlockText|contains: -Name OpenSSH.
selection_cmdlet:
  ScriptBlockText|contains: 'Add-WindowsCapability '