Detection rules › By event

PowerShell Event ID 800

37 detection rules reference this event. View event page.

Sigma (37)

Active Directory Forest PowerShell class called from a non administrative host severity medium T1482
BITS payload downloaded via PowerShell severity medium T1048, T1105, T1197, T1570
DCOM lateral movement (via MMC20) severity high T1021, T1021.003
Domain group membership change severity high T1098
DoT (DNS over TLS) activation (PowerShell) severity medium T1071, T1071.004
DSRM password changed (Reg via PowerShell) severity high T1098
Encoded PowerShell payload deployed (PowerShell) severity high T1027, T1059, T1059.001
Event log clear attempt (PowerShell) severity high T1070, T1070.001
Event log cleared using Diagnostics (via PowerShell) severity high T1070, T1070.001
Exchange transport agent installation artifacts (PowerShell) severity high T1505, T1505.002
Firewall configuration enumerated (PowerShell) severity medium T1016
Firewall deactivation (PowerShell) severity high T1562, T1562.004
Group discovery (PowerShell) severity medium T1069, T1069.001, T1069.002
Local group membership change severity high T1098
LSASS credential dump with LSASSY (PowerShell) severity medium T1003, T1003.001
Microsoft Defender critical security components disabled (PowerShell) severity high T1562, T1562.001
Microsoft Defender default action changed to allow any threat (PowerShell) severity high T1562, T1562.001
Microsoft Defender security components disabled (PowerShell) severity medium T1562, T1562.001
Microsoft Defender threat exclusion added (PowerShell) severity high T1562, T1562.001
OpenSSH native server feature installation severity medium T1021, T1021.004
OpenSSH server firewall configuration on Windows (PowerShell) severity high T1562, T1562.004
OpenSSH service activation on Windows severity medium T1021, T1021.004
Payload downloaded via PowerShell severity high T1059, T1059.001, T1105
PipeShell exfiltration over named pipes severity medium T1059, T1059.001
Print spooler privilege escalation via printer added (CVE-2020-1048) severity high T1547, T1547.010
Service abuse with backdoored "command failure" (Reg via PowerShell) severity high T1543, T1543.003
Service abuse with malicious ImagePath (Reg via PowerShell) severity high T1543, T1543.003
Service creation (PowerShell) severity high T1543, T1543.003
Service permissions hijacked for privileges abuse (PowerShell) severity high T1543, T1543.003, T1574, T1574.010
Service permissions hijacked for privileges abuse (Reg via PowerShell) severity high T1543, T1543.003, T1574, T1574.010
Suspicious SPN enumeration previous to Kerberoasting attack (PowerShell) severity high T1087, T1087.002, T1558, T1558.003
System time changed (PowerShell) severity medium T1070, T1070.006
Vault credentials manager accessed severity high T1555, T1555.004
VSS backup deletion via WMI (Powershell) severity high T1490
Webserver IIS module installed (PowerShell) severity high T1505, T1505.004
Webserver IIS module installed via GAC manipulation (PowerShell) severity high T1505, T1505.004
WMI registration (PowerShell) severity high T1546, T1546.003

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)

PowerShell Event ID 800

Sigma (37)

Keyboard shortcuts

Search operators