sigma-rules/rules_building_block/discovery_posh_generic.toml

[metadata]
creation_date = "2023/07/06"
integration = ["windows"]
maturity = "production"
updated_date = "2025/07/02"

[rule]
author = ["Elastic"]
building_block_type = "default"
description = """
Identifies the use of Cmdlets and methods related to discovery activities. Attackers can use these to perform various
situational awareness related activities, like enumerating users, shares, sessions, domain trusts, groups, etc.
"""
from = "now-119m"
index = ["winlogbeat-*", "logs-windows.powershell*"]
interval = "60m"
language = "kuery"
license = "Elastic License v2"
name = "PowerShell Script with Discovery Capabilities"
risk_score = 21
rule_id = "1e0a3f7c-21e7-4bb1-98c7-2036612fb1be"
setup = """## Setup

The 'PowerShell Script Block Logging' logging policy must be enabled.
Steps to implement the logging policy with Advanced Audit Configuration:

```
Computer Configuration >
Administrative Templates >
Windows PowerShell >
Turn on PowerShell Script Block Logging (Enable)
```

Steps to implement the logging policy via registry:

```
reg add "hklm\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1
```
"""
severity = "low"
tags = [
    "Domain: Endpoint",
    "OS: Windows",
    "Use Case: Threat Detection",
    "Tactic: Collection",
    "Tactic: Discovery",
    "Data Source: PowerShell Logs",
    "Rule Type: BBR",
]
timestamp_override = "event.ingested"
type = "query"

query = '''
event.category:process and host.os.type:windows and
  powershell.file.script_block_text : (
    (
      "Get-ADDefaultDomainPasswordPolicy" or
      "Get-ADDomain" or "Get-ComputerInfo" or
      "Get-Disk" or "Get-DnsClientCache" or
      "Get-GPOReport" or "Get-HotFix" or
      "Get-LocalUser" or "Get-NetFirewallProfile" or
      "get-nettcpconnection" or "Get-NetAdapter" or
      "Get-PhysicalDisk" or "Get-Process" or
      "Get-PSDrive" or "Get-Service" or
      "Get-SmbShare" or "Get-WinEvent"
    ) or
    (
      ("Get-WmiObject" or "gwmi" or "Get-CimInstance" or
       "gcim" or "Management.ManagementObjectSearcher" or
       "System.Management.ManagementClass" or
       "[WmiClass]") and
      (
        "AntiVirusProduct" or "CIM_BIOSElement" or "CIM_ComputerSystem" or "CIM_Product" or "CIM_DiskDrive" or
        "CIM_LogicalDisk" or "CIM_NetworkAdapter" or "CIM_StorageVolume" or "CIM_OperatingSystem" or
        "CIM_Process" or "CIM_Service" or "MSFT_DNSClientCache" or "Win32_BIOS" or "Win32_ComputerSystem" or
        "Win32_ComputerSystemProduct" or "Win32_DiskDrive" or "win32_environment" or "Win32_Group" or
        "Win32_groupuser" or "Win32_IP4RouteTable" or "Win32_logicaldisk" or "Win32_MappedLogicalDisk" or
        "Win32_NetworkAdapterConfiguration" or "win32_ntdomain" or "Win32_OperatingSystem" or
        "Win32_PnPEntity" or "Win32_Process" or "Win32_Product" or "Win32_quickfixengineering" or
        "win32_service" or "Win32_Share" or "Win32_UserAccount"
      )
    ) or
    (
      ("ADSI" and "WinNT") or
      ("Get-ChildItem" and "sysmondrv.sys") or
      ("::GetIPGlobalProperties()" and "GetActiveTcpConnections()") or
      ("ServiceProcess.ServiceController" and "::GetServices") or
      ("Diagnostics.Process" and "::GetProcesses") or
      ("DirectoryServices.Protocols.GroupPolicy" and ".GetGPOReport()") or
      ("DirectoryServices.AccountManagement" and "PrincipalSearcher") or
      ("NetFwTypeLib.NetFwMgr" and "CurrentProfile") or
      ("NetworkInformation.NetworkInterface" and "GetAllNetworkInterfaces") or
      ("Automation.PSDriveInfo") or
      ("Microsoft.Win32.RegistryHive")
    ) or
    (
      "Get-ItemProperty" and
      (
        "\Control\SecurityProviders\WDigest" or
        "\microsoft\windows\currentversion\explorer\runmru" or
        "\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters" or
        "\Microsoft\Windows\CurrentVersion\Uninstall" or
        "\Microsoft\Windows\WindowsUpdate" or
        "Policies\Microsoft\Windows\Installer" or
        "Software\Microsoft\Windows\CurrentVersion\Policies" or
        ("\Services\SharedAccess\Parameters\FirewallPolicy" and "EnableFirewall") or
        ("Microsoft\Windows\CurrentVersion\Internet Settings" and "proxyEnable")
      )
    ) or
    (
      ("Directoryservices.Activedirectory" or
      "DirectoryServices.AccountManagement") and 
      (
        "Domain Admins" or "DomainControllers" or
        "FindAllGlobalCatalogs" or "GetAllTrustRelationships" or
        "GetCurrentDomain" or "GetCurrentForest"
      ) or
      "DirectoryServices.DirectorySearcher" and
      (
        "samAccountType=805306368" or
        "samAccountType=805306369" or
        "objectCategory=group" or
        "objectCategory=groupPolicyContainer" or
        "objectCategory=site" or
        "objectCategory=subnet" or
        "objectClass=trustedDomain"
      )
    ) or
    (
      "Get-Process" and
      (
        "mcshield" or "windefend" or "savservice" or
        "TMCCSF" or "symantec antivirus" or
        "CSFalcon" or "TmPfw" or "kvoop"
      )
    )
  ) and
  not powershell.file.script_block_text : (
    (
      "__cmdletization_BindCommonParameters" and
      "Microsoft.PowerShell.Core\Export-ModuleMember" and
      "Microsoft.PowerShell.Cmdletization.Cim.CimCmdletAdapter"
    ) or
    "CmdletsToExport=@(\"Add-Content\"," or
    ("cmdletization" and "cdxml-Help.xml")
  ) and
  not user.id : ("S-1-5-18" or "S-1-5-19" or "S-1-5-20")
'''


[[rule.filters]]
[rule.filters.meta]
negate = true
[rule.filters.query.wildcard."file.path"]
case_insensitive = true
value = "?:\\\\Program Files\\\\WindowsPowerShell\\\\Modules\\\\*.ps?1"

[[rule.filters]]
[rule.filters.meta]
negate = true
[rule.filters.query.wildcard."file.path"]
case_insensitive = true
value = "?:\\\\Program Files\\\\Microsoft Azure AD Sync\\\\Extensions\\\\AADConnector.psm1"

[[rule.filters]]
[rule.filters.meta]
negate = true
[rule.filters.query.wildcard."file.path"]
case_insensitive = true
value = "*ServiceNow MID Server*\\\\agent\\\\scripts\\\\PowerShell\\\\*.psm1"

[[rule.filters]]
[rule.filters.meta]
negate = true
[rule.filters.query.wildcard."file.path"]
case_insensitive = true
value = "?:\\\\Windows\\\\IMECache\\\\HealthScripts\\\\*\\\\detect.ps1"

[[rule.filters]]
[rule.filters.meta]
negate = true
[rule.filters.query.wildcard."file.path"]
case_insensitive = true
value = "?:\\\\Windows\\\\TEMP\\\\SDIAG*"

[[rule.filters]]
[rule.filters.meta]
negate = true
[rule.filters.query.wildcard."file.path"]
case_insensitive = true
value = "?:\\\\Temp\\\\SDIAG*"

[[rule.filters]]
[rule.filters.meta]
negate = true
[rule.filters.query.wildcard."file.path"]
case_insensitive = true
value = "?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\SDIAG*"

[[rule.filters]]
[rule.filters.meta]
negate = true
[rule.filters.query.wildcard."file.path"]
case_insensitive = true
value = "?:\\\\Program Files\\\\Microsoft Monitoring Agent\\\\Agent\\\\Health Service State\\\\Monitoring Host Temporary Files*"

[[rule.filters]]
[rule.filters.meta]
negate = true
[rule.filters.query.wildcard."file.path"]
case_insensitive = true
value = "?:\\\\ProgramData\\\\Microsoft\\\\Windows Defender Advanced Threat Protection\\\\DataCollection\\\\*"


[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1007"
name = "System Service Discovery"
reference = "https://attack.mitre.org/techniques/T1007/"

[[rule.threat.technique]]
id = "T1012"
name = "Query Registry"
reference = "https://attack.mitre.org/techniques/T1012/"

[[rule.threat.technique]]
id = "T1049"
name = "System Network Connections Discovery"
reference = "https://attack.mitre.org/techniques/T1049/"

[[rule.threat.technique]]
id = "T1057"
name = "Process Discovery"
reference = "https://attack.mitre.org/techniques/T1057/"

[[rule.threat.technique]]
id = "T1082"
name = "System Information Discovery"
reference = "https://attack.mitre.org/techniques/T1082/"

[[rule.threat.technique]]
id = "T1082"
name = "System Information Discovery"
reference = "https://attack.mitre.org/techniques/T1082/"

[[rule.threat.technique]]
id = "T1083"
name = "File and Directory Discovery"
reference = "https://attack.mitre.org/techniques/T1083/"

[[rule.threat.technique]]
id = "T1087"
name = "Account Discovery"
reference = "https://attack.mitre.org/techniques/T1087/"
[[rule.threat.technique.subtechnique]]
id = "T1087.001"
name = "Local Account"
reference = "https://attack.mitre.org/techniques/T1087/001/"

[[rule.threat.technique.subtechnique]]
id = "T1087.002"
name = "Domain Account"
reference = "https://attack.mitre.org/techniques/T1087/002/"


[[rule.threat.technique]]
id = "T1135"
name = "Network Share Discovery"
reference = "https://attack.mitre.org/techniques/T1135/"

[[rule.threat.technique]]
id = "T1201"
name = "Password Policy Discovery"
reference = "https://attack.mitre.org/techniques/T1201/"

[[rule.threat.technique]]
id = "T1482"
name = "Domain Trust Discovery"
reference = "https://attack.mitre.org/techniques/T1482/"

[[rule.threat.technique]]
id = "T1518"
name = "Software Discovery"
reference = "https://attack.mitre.org/techniques/T1518/"
[[rule.threat.technique.subtechnique]]
id = "T1518.001"
name = "Security Software Discovery"
reference = "https://attack.mitre.org/techniques/T1518/001/"


[[rule.threat.technique]]
id = "T1615"
name = "Group Policy Discovery"
reference = "https://attack.mitre.org/techniques/T1615/"


[rule.threat.tactic]
id = "TA0007"
name = "Discovery"
reference = "https://attack.mitre.org/tactics/TA0007/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1059"
name = "Command and Scripting Interpreter"
reference = "https://attack.mitre.org/techniques/T1059/"
[[rule.threat.technique.subtechnique]]
id = "T1059.001"
name = "PowerShell"
reference = "https://attack.mitre.org/techniques/T1059/001/"



[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"