| | posh_ps_aadinternals_cmdlets_execution.yml | 2.0 KB |
| | posh_ps_access_to_browser_login_data.yml | 1.5 KB |
| | posh_ps_active_directory_module_dll_import.yml | 1.4 KB |
| | posh_ps_add_dnsclient_rule.yml | 972 B |
| | posh_ps_add_windows_capability.yml | 1.2 KB |
| | posh_ps_adrecon_execution.yml | 1014 B |
| | posh_ps_amsi_bypass_pattern_nov22.yml | 887 B |
| | posh_ps_amsi_null_bits_bypass.yml | 954 B |
| | posh_ps_apt_silence_eda.yml | 1.4 KB |
| | posh_ps_as_rep_roasting.yml | 1.1 KB |
| | posh_ps_audio_exfiltration.yml | 1.2 KB |
| | posh_ps_automated_collection.yml | 1.0 KB |
| | posh_ps_capture_screenshots.yml | 928 B |
| | posh_ps_clear_powershell_history.yml | 1.3 KB |
| | posh_ps_clearing_windows_console_history.yml | 1.2 KB |
| | posh_ps_cmdlet_scheduled_task.yml | 1.8 KB |
| | posh_ps_computer_discovery_get_adcomputer.yml | 1.4 KB |
| | posh_ps_copy_item_system_directory.yml | 950 B |
| | posh_ps_cor_profiler.yml | 1.4 KB |
| | posh_ps_create_local_user.yml | 741 B |
| | posh_ps_create_volume_shadow_copy.yml | 894 B |
| | posh_ps_detect_vm_env.yml | 1.2 KB |
| | posh_ps_directorysearcher.yml | 947 B |
| | posh_ps_directoryservices_accountmanagement.yml | 1.1 KB |
| | posh_ps_disable_psreadline_command_history.yml | 742 B |
| | posh_ps_disable_windows_optional_feature.yml | 1.4 KB |
| | posh_ps_dotnet_assembly_from_file.yml | 694 B |
| | posh_ps_download_com_cradles.yml | 1.4 KB |
| | posh_ps_dsinternals_cmdlets.yml | 3.7 KB |
| | posh_ps_dump_password_windows_credential_manager.yml | 1.4 KB |
| | posh_ps_enable_psremoting.yml | 982 B |
| | posh_ps_enable_susp_windows_optional_feature.yml | 1.6 KB |
| | posh_ps_enumerate_password_windows_credential_manager.yml | 1.0 KB |
| | posh_ps_etw_trace_evasion.yml | 1.0 KB |
| | posh_ps_export_certificate.yml | 1.3 KB |
| | posh_ps_frombase64string_archive.yml | 931 B |
| | posh_ps_get_acl_service.yml | 1.4 KB |
| | posh_ps_get_adcomputer.yml | 1.1 KB |
| | posh_ps_get_adgroup.yml | 761 B |
| | posh_ps_get_adreplaccount.yml | 1.1 KB |
| | posh_ps_get_childitem_bookmarks.yml | 1.1 KB |
| | posh_ps_get_process_security_software_discovery.yml | 2.2 KB |
| | posh_ps_hktl_rubeus.yml | 1.4 KB |
| | posh_ps_hktl_winpwn.yml | 1.6 KB |
| | posh_ps_hotfix_enum.yml | 788 B |
| | posh_ps_icmp_exfiltration.yml | 1.0 KB |
| | posh_ps_import_module_susp_dirs.yml | 1.4 KB |
| | posh_ps_install_unsigned_appx_packages.yml | 1.1 KB |
| | posh_ps_invoke_command_remote.yml | 1013 B |
| | posh_ps_invoke_dnsexfiltration.yml | 955 B |
| | posh_ps_invoke_obfuscation_clip.yml | 767 B |
| | posh_ps_invoke_obfuscation_obfuscated_iex.yml | 1.3 KB |
| | posh_ps_invoke_obfuscation_stdin.yml | 749 B |
| | posh_ps_invoke_obfuscation_var.yml | 787 B |
| | posh_ps_invoke_obfuscation_via_compress.yml | 942 B |
| | posh_ps_invoke_obfuscation_via_rundll.yml | 813 B |
| | posh_ps_invoke_obfuscation_via_stdin.yml | 737 B |
| | posh_ps_invoke_obfuscation_via_use_clip.yml | 738 B |
| | posh_ps_invoke_obfuscation_via_use_mhsta.yml | 843 B |
| | posh_ps_invoke_obfuscation_via_use_rundll32.yml | 915 B |
| | posh_ps_invoke_obfuscation_via_var.yml | 757 B |
| | posh_ps_keylogging.yml | 1.1 KB |
| | posh_ps_localuser.yml | 1.2 KB |
| | posh_ps_mailboxexport_share.yml | 1.1 KB |
| | posh_ps_malicious_commandlets.yml | 9.9 KB |
| | posh_ps_malicious_keywords.yml | 1.4 KB |
| | posh_ps_memorydump_getstoragediagnosticinfo.yml | 788 B |
| | posh_ps_modify_group_policy_settings.yml | 1.1 KB |
| | posh_ps_msxml_com.yml | 1.3 KB |
| | posh_ps_nishang_malicious_commandlets.yml | 3.9 KB |
| | posh_ps_ntfs_ads_access.yml | 983 B |
| | posh_ps_office_comobject_registerxll.yml | 886 B |
| | posh_ps_packet_capture.yml | 1.4 KB |
| | posh_ps_potential_invoke_mimikatz.yml | 1.0 KB |
| | posh_ps_potential_unconstrained_delegation_discovery.yml | 1.2 KB |
| | posh_ps_powershell_web_access_installation.yml | 1.2 KB |
| | posh_ps_powerview_malicious_commandlets.yml | 5.0 KB |
| | posh_ps_prompt_credentials.yml | 709 B |
| | posh_ps_psasyncshell.yml | 655 B |
| | posh_ps_psattack.yml | 611 B |
| | posh_ps_remote_session_creation.yml | 1.1 KB |
| | posh_ps_remotefxvgpudisablement_abuse.yml | 1.4 KB |
| | posh_ps_request_kerberos_ticket.yml | 1.3 KB |
| | posh_ps_resolve_list_of_ip_from_file.yml | 966 B |
| | posh_ps_root_certificate_installed.yml | 1.1 KB |
| | posh_ps_run_from_mount_diskimage.yml | 1.1 KB |
| | posh_ps_script_with_upload_capabilities.yml | 1.2 KB |
| | posh_ps_sensitive_file_discovery.yml | 906 B |
| | posh_ps_set_acl_susp_location.yml | 1.7 KB |
| | posh_ps_set_acl.yml | 1.0 KB |
| | posh_ps_set_policies_to_unsecure_level.yml | 1.6 KB |
| | posh_ps_shellcode_b64.yml | 752 B |
| | posh_ps_shellintel_malicious_commandlets.yml | 832 B |
| | posh_ps_software_discovery.yml | 1.2 KB |
| | posh_ps_store_file_in_alternate_data_stream.yml | 847 B |
| | posh_ps_susp_ace_tampering.yml | 1.0 KB |
| | posh_ps_susp_ad_group_reco.yml | 1.1 KB |
| | posh_ps_susp_alias_obfscuation.yml | 1022 B |
| | posh_ps_susp_clear_eventlog.yml | 2.0 KB |
| | posh_ps_susp_directory_enum.yml | 984 B |
| | posh_ps_susp_download.yml | 1.1 KB |
| | posh_ps_susp_execute_batch_script.yml | 1.4 KB |
| | posh_ps_susp_extracting.yml | 1.1 KB |
| | posh_ps_susp_follina_execution.yml | 984 B |
| | posh_ps_susp_get_addefaultdomainpasswordpolicy.yml | 1.0 KB |
| | posh_ps_susp_get_current_user.yml | 1.0 KB |
| | posh_ps_susp_get_gpo.yml | 779 B |
| | posh_ps_susp_get_process.yml | 849 B |
| | posh_ps_susp_getprocess_lsass.yml | 878 B |
| | posh_ps_susp_gettypefromclsid.yml | 832 B |
| | posh_ps_susp_hyper_v_condlet.yml | 933 B |
| | posh_ps_susp_invocation_generic.yml | 1.1 KB |
| | posh_ps_susp_invocation_specific.yml | 2.7 KB |
| | posh_ps_susp_invoke_webrequest_useragent.yml | 1.2 KB |
| | posh_ps_susp_iofilestream.yml | 845 B |
| | posh_ps_susp_keylogger_activity.yml | 1.1 KB |
| | posh_ps_susp_keywords.yml | 1.6 KB |
| | posh_ps_susp_local_group_reco.yml | 1.4 KB |
| | posh_ps_susp_mail_acces.yml | 1010 B |
| | posh_ps_susp_mount_diskimage.yml | 960 B |
| | posh_ps_susp_mounted_share_deletion.yml | 1.2 KB |
| | posh_ps_susp_networkcredential.yml | 1.2 KB |
| | posh_ps_susp_new_psdrive.yml | 1.0 KB |
| | posh_ps_susp_proxy_scripts.yml | 854 B |
| | posh_ps_susp_recon_export.yml | 904 B |
| | posh_ps_susp_remove_adgroupmember.yml | 977 B |
| | posh_ps_susp_service_dacl_modification_set_service.yml | 1.5 KB |
| | posh_ps_susp_set_alias.yml | 2.3 KB |
| | posh_ps_susp_smb_share_reco.yml | 1007 B |
| | posh_ps_susp_ssl_keyword.yml | 1.0 KB |
| | posh_ps_susp_start_process.yml | 912 B |
| | posh_ps_susp_unblock_file.yml | 957 B |
| | posh_ps_susp_wallpaper.yml | 1.1 KB |
| | posh_ps_susp_win32_pnpentity.yml | 748 B |
| | posh_ps_susp_win32_shadowcopy_deletion.yml | 1.4 KB |
| | posh_ps_susp_windowstyle.yml | 1.1 KB |
| | posh_ps_susp_write_eventlog.yml | 893 B |
| | posh_ps_susp_zip_compress.yml | 1.6 KB |
| | posh_ps_syncappvpublishingserver_exe.yml | 945 B |
| | posh_ps_tamper_windows_defender_rem_mp.yml | 1.1 KB |
| | posh_ps_tamper_windows_defender_set_mp.yml | 3.5 KB |
| | posh_ps_test_netconnection.yml | 1.2 KB |
| | posh_ps_timestomp.yml | 1.2 KB |
| | posh_ps_user_discovery_get_aduser.yml | 1.2 KB |
| | posh_ps_user_profile_tampering.yml | 1.4 KB |
| | posh_ps_using_set_service_to_hide_services.yml | 1.3 KB |
| | posh_ps_vbscript_registry_modification.yml | 1.7 KB |
| | posh_ps_veeam_credential_dumping_script.yml | 999 B |
| | posh_ps_web_request_cmd_and_cmdlets.yml | 1.6 KB |
| | posh_ps_win_api_susp_access.yml | 1.5 KB |
| | posh_ps_win_defender_exclusions_added.yml | 1.1 KB |
| | posh_ps_win32_nteventlogfile_usage.yml | 1.2 KB |
| | posh_ps_win32_product_install_msi.yml | 836 B |
| | posh_ps_windows_firewall_profile_disabled.yml | 1.4 KB |
| | posh_ps_winlogon_helper_dll.yml | 1.3 KB |
| | posh_ps_wmi_persistence.yml | 1.3 KB |
| | posh_ps_wmi_unquoted_service_search.yml | 1.2 KB |
| | posh_ps_wmimplant.yml | 1.2 KB |
| | posh_ps_x509enrollment.yml | 1000 B |
| | posh_ps_xml_iex.yml | 1.3 KB |