add SIGMA Powershell Code(not adjust WELA)

Rules/sigma_tmp/powershell_CL_Invocation_LOLScript.ps1

@@ -0,0 +1 @@
+Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational | where {($_.ID -eq "4104" -and $_.message -match "ScriptBlockText.*.*CL_Invocation.ps1.*" -and $_.message -match "ScriptBlockText.*.*SyncInvoke.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message

Rules/sigma_tmp/powershell_CL_Invocation_LOLScript_v2.ps1

@@ -0,0 +1 @@
+Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational | where {($_.ID -eq "4104" -and ($_.message -match "ScriptBlockText.*.*CL_Invocation.ps1.*" -or $_.message -match "ScriptBlockText.*.*SyncInvoke.*")) }  | select Computer, ScriptBlockText | group Computer | foreach { [PSCustomObject]@{'Computer'=$_.name;'Count'=($_.group.ScriptBlockText | sort -u).count} }  | sort count -desc | where { $_.count -gt 2 }

Rules/sigma_tmp/powershell_CL_Mutexverifiers_LOLScript.ps1

@@ -0,0 +1 @@
+Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational | where {($_.ID -eq "4104" -and $_.message -match "ScriptBlockText.*.*CL_Mutexverifiers.ps1.*" -and $_.message -match "ScriptBlockText.*.*runAfterCancelProcess.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message

Rules/sigma_tmp/powershell_CL_Mutexverifiers_LOLScript_v2.ps1

@@ -0,0 +1 @@
+Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational | where {($_.ID -eq "4104" -and ($_.message -match "ScriptBlockText.*.*CL_Mutexverifiers.ps1.*" -or $_.message -match "ScriptBlockText.*.*runAfterCancelProcess.*")) }  | select Computer, ScriptBlockText | group Computer | foreach { [PSCustomObject]@{'Computer'=$_.name;'Count'=($_.group.ScriptBlockText | sort -u).count} }  | sort count -desc | where { $_.count -gt 2 }

Rules/sigma_tmp/powershell_alternate_powershell_hosts.ps1

@@ -0,0 +1,2 @@
+Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational | where {(($_.ID -eq "4103" -and $_.message -match "ContextInfo.*.*") -and  -not ($_.message -match "ContextInfo.*powershell.exe" -or $_.message -match "Message.*powershell.exe")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message
+Get-WinEvent -LogName Windows PowerShell | where {(($_.ID -eq "400" -and $_.message -match "ContextInfo.*.*") -and  -not ($_.message -match "ContextInfo.*powershell.exe" -or $_.message -match "Message.*powershell.exe")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message

Rules/sigma_tmp/powershell_automated_collection.ps1

@@ -0,0 +1 @@
+Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational | where {($_.ID -eq "4104" -and ($_.message -match "ScriptBlockText.*.*.doc.*" -or $_.message -match "ScriptBlockText.*.*.docx.*" -or $_.message -match "ScriptBlockText.*.*.xls.*" -or $_.message -match "ScriptBlockText.*.*.xlsx.*" -or $_.message -match "ScriptBlockText.*.*.ppt.*" -or $_.message -match "ScriptBlockText.*.*.pptx.*" -or $_.message -match "ScriptBlockText.*.*.rtf.*" -or $_.message -match "ScriptBlockText.*.*.pdf.*" -or $_.message -match "ScriptBlockText.*.*.txt.*") -and $_.message -match "ScriptBlockText.*.*Get-ChildItem.*" -and $_.message -match "ScriptBlockText.*.* -Recurse .*" -and $_.message -match "ScriptBlockText.*.* -Include .*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message

Rules/sigma_tmp/powershell_bad_opsec_artifacts.ps1

@@ -0,0 +1 @@
+Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational | where {((($_.ID -eq "4104" -and ($_.message -match "ScriptBlockText.*.*$DoIt.*" -or $_.message -match "ScriptBlockText.*.*harmj0y.*" -or $_.message -match "ScriptBlockText.*.*mattifestation.*" -or $_.message -match "ScriptBlockText.*.*_RastaMouse.*" -or $_.message -match "ScriptBlockText.*.*tifkin_.*" -or $_.message -match "ScriptBlockText.*.*0xdeadbeef.*")) -or ($_.ID -eq "4103" -and ($_.message -match "Payload.*.*$DoIt.*" -or $_.message -match "Payload.*.*harmj0y.*" -or $_.message -match "Payload.*.*mattifestation.*" -or $_.message -match "Payload.*.*_RastaMouse.*" -or $_.message -match "Payload.*.*tifkin_.*" -or $_.message -match "Payload.*.*0xdeadbeef.*")))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message

Rules/sigma_tmp/powershell_clear_powershell_history.ps1

@@ -0,0 +1 @@
+Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational | where {((($_.ID -eq "4104" -and ((($_.message -match "ScriptBlockText.*.*del.*" -or $_.message -match "ScriptBlockText.*.*Remove-Item.*" -or $_.message -match "ScriptBlockText.*.*rm.*") -and $_.message -match "ScriptBlockText.*.*(Get-PSReadlineOption).HistorySavePath.*") -or ($_.message -match "ScriptBlockText.*.*Set-PSReadlineOption.*" -and $_.message -match "ScriptBlockText.*.*–HistorySaveStyle.*" -and $_.message -match "ScriptBlockText.*.*SaveNothing.*"))) -or ($_.ID -eq "4103" -and ((($_.message -match "Payload.*.*del.*" -or $_.message -match "Payload.*.*Remove-Item.*" -or $_.message -match "Payload.*.*rm.*") -and $_.message -match "Payload.*.*(Get-PSReadlineOption).HistorySavePath.*") -or ($_.message -match "Payload.*.*Set-PSReadlineOption.*" -and $_.message -match "Payload.*.*–HistorySaveStyle.*" -and $_.message -match "Payload.*.*SaveNothing.*"))))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message

Rules/sigma_tmp/powershell_cmdline_reversed_strings.ps1

@@ -0,0 +1 @@
+Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\powershell.exe" -and ($_.message -match "CommandLine.*.*hctac.*" -or $_.message -match "CommandLine.*.*kearb.*" -or $_.message -match "CommandLine.*.*dnammoc.*" -or $_.message -match "CommandLine.*.*ekovn.*" -or $_.message -match "CommandLine.*.*eliFd.*" -or $_.message -match "CommandLine.*.*rahc.*" -or $_.message -match "CommandLine.*.*etirw.*" -or $_.message -match "CommandLine.*.*golon.*" -or $_.message -match "CommandLine.*.*tninon.*" -or $_.message -match "CommandLine.*.*eddih.*" -or $_.message -match "CommandLine.*.*tpircS.*" -or $_.message -match "CommandLine.*.*ssecorp.*" -or $_.message -match "CommandLine.*.*llehsrewop.*" -or $_.message -match "CommandLine.*.*esnopser.*" -or $_.message -match "CommandLine.*.*daolnwod.*" -or $_.message -match "CommandLine.*.*tneilCbeW.*" -or $_.message -match "CommandLine.*.*tneilc.*" -or $_.message -match "CommandLine.*.*ptth.*" -or $_.message -match "CommandLine.*.*elifotevas.*" -or $_.message -match "CommandLine.*.*46esab.*" -or $_.message -match "CommandLine.*.*htaPpmeTteG.*" -or $_.message -match "CommandLine.*.*tcejbO.*" -or $_.message -match "CommandLine.*.*maerts.*" -or $_.message -match "CommandLine.*.*hcaerof.*" -or $_.message -match "CommandLine.*.*ekovni.*" -or $_.message -match "CommandLine.*.*retupmoc.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message

Rules/sigma_tmp/powershell_cmdline_specific_comb_methods.ps1

@@ -0,0 +1 @@
+Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "1" -and $_.message -match "Image.*.*\\powershell.exe" -and (((($_.ID -eq "1" -and ($_.message -match "CommandLine.*.*ToInt.*" -or $_.message -match "CommandLine.*.*ToDecimal.*" -or $_.message -match "CommandLine.*.*ToByte.*" -or $_.message -match "CommandLine.*.*ToUint.*" -or $_.message -match "CommandLine.*.*ToSingle.*" -or $_.message -match "CommandLine.*.*ToSByte.*") -and ($_.message -match "CommandLine.*.*ToChar.*" -or $_.message -match "CommandLine.*.*ToString.*" -or $_.message -match "CommandLine.*.*String.*")) -or ($_.message -match "CommandLine.*.*char.*" -and $_.message -match "CommandLine.*.*join.*")) -or ($_.message -match "CommandLine.*.*split.*" -and $_.message -match "CommandLine.*.*join.*")) -or ($_.message -match "CommandLine.*.*ForEach.*" -and $_.message -match "CommandLine.*.*Xor.*") -or ($_.message -match "CommandLine.*.*cOnvErTTO-SECUreStRIng.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message

Rules/sigma_tmp/powershell_code_injection.ps1

@@ -0,0 +1 @@
+Get-WinEvent -LogName Microsoft-Windows-Sysmon/Operational | where {($_.ID -eq "8" -and $_.message -match "SourceImage.*.*\\powershell.exe") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message

Rules/sigma_tmp/powershell_create_local_user.ps1

@@ -0,0 +1 @@
+Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational | where {($_.ID -eq "4104" -and $_.message -match "ScriptBlockText.*.*New-LocalUser.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message

Rules/sigma_tmp/powershell_data_compressed.ps1

@@ -0,0 +1 @@
+Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational | where {($_.ID -eq "4104" -and $_.message -match "ScriptBlockText.*.*-Recurse.*" -and $_.message -match "ScriptBlockText.*.*|.*" -and $_.message -match "ScriptBlockText.*.*Compress-Archive.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message

Rules/sigma_tmp/powershell_decompress_commands.ps1

@@ -0,0 +1 @@
+Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational | where {((($_.ID -eq "4104" -and $_.message -match "ScriptBlockText.*.*Expand-Archive.*") -or ($_.ID -eq "4103" -and $_.message -match "Payload.*.*Expand-Archive.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message

Rules/sigma_tmp/powershell_delete_volume_shadow_copies.ps1

@@ -0,0 +1 @@
+Get-WinEvent -LogName Windows PowerShell | where {($_.message -match "CommandLine.*.*Get-WmiObject.*" -and $_.message -match "CommandLine.*.* Win32_Shadowcopy.*" -and ($_.message -match "CommandLine.*.*Delete().*" -or $_.message -match "CommandLine.*.*Remove-WmiObject.*") -and $_.ID -eq "400") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message

Rules/sigma_tmp/powershell_dnscat_execution.ps1

@@ -0,0 +1 @@
+Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational | where {($_.ID -eq "4104" -and $_.message -match "ScriptBlockText.*.*Start-Dnscat2.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message

Rules/sigma_tmp/powershell_downgrade_attack.ps1

@@ -0,0 +1 @@
+Get-WinEvent -LogName Windows PowerShell | where {(($_.ID -eq "400" -and $_.message -match "EngineVersion.*2..*") -and  -not ($_.message -match "HostVersion.*2..*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message

Rules/sigma_tmp/powershell_exe_calling_ps.ps1

@@ -0,0 +1 @@
+Get-WinEvent -LogName Windows PowerShell | where {($_.ID -eq "400" -and ($_.message -match "EngineVersion.*2..*" -or $_.message -match "EngineVersion.*4..*" -or $_.message -match "EngineVersion.*5..*") -and $_.message -match "HostVersion.*3..*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message

Rules/sigma_tmp/powershell_get_clipboard.ps1

@@ -0,0 +1 @@
+Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational | where {((($_.ID -eq "4104" -and $_.message -match "ScriptBlockText.*.*Get-Clipboard.*") -or ($_.ID -eq "4103" -and $_.message -match "Payload.*.*Get-Clipboard.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message

Rules/sigma_tmp/powershell_icmp_exfiltration.ps1

@@ -0,0 +1 @@
+Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational | where {($_.ID -eq "4104" -and $_.message -match "ScriptBlockText.*.*New-Object.*" -and $_.message -match "ScriptBlockText.*.*System.Net.NetworkInformation.Ping.*" -and $_.message -match "ScriptBlockText.*.*.Send(.*") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message

Rules/sigma_tmp/powershell_keylogging.ps1

@@ -0,0 +1 @@
+Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational | where {($_.ID -eq "4104" -and ($_.message -match "ScriptBlockText.*.*Get-Keystrokes.*" -or ($_.message -match "ScriptBlockText.*.*Get-ProcAddress user32.dll GetAsyncKeyState.*" -and $_.message -match "ScriptBlockText.*.*Get-ProcAddress user32.dll GetForegroundWindow.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message

Rules/sigma_tmp/powershell_malicious_commandlets.ps1

@@ -0,0 +1 @@
+Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational | where {(($_.ID -eq "4104" -and ($_.message -match "ScriptBlockText.*.*Invoke-DllInjection.*" -or $_.message -match "ScriptBlockText.*.*Invoke-Shellcode.*" -or $_.message -match "ScriptBlockText.*.*Invoke-WmiCommand.*" -or $_.message -match "ScriptBlockText.*.*Get-GPPPassword.*" -or $_.message -match "ScriptBlockText.*.*Get-Keystrokes.*" -or $_.message -match "ScriptBlockText.*.*Get-TimedScreenshot.*" -or $_.message -match "ScriptBlockText.*.*Get-VaultCredential.*" -or $_.message -match "ScriptBlockText.*.*Invoke-CredentialInjection.*" -or $_.message -match "ScriptBlockText.*.*Invoke-Mimikatz.*" -or $_.message -match "ScriptBlockText.*.*Invoke-NinjaCopy.*" -or $_.message -match "ScriptBlockText.*.*Invoke-TokenManipulation.*" -or $_.message -match "ScriptBlockText.*.*Out-Minidump.*" -or $_.message -match "ScriptBlockText.*.*VolumeShadowCopyTools.*" -or $_.message -match "ScriptBlockText.*.*Invoke-ReflectivePEInjection.*" -or $_.message -match "ScriptBlockText.*.*Invoke-UserHunter.*" -or $_.message -match "ScriptBlockText.*.*Find-GPOLocation.*" -or $_.message -match "ScriptBlockText.*.*Invoke-ACLScanner.*" -or $_.message -match "ScriptBlockText.*.*Invoke-DowngradeAccount.*" -or $_.message -match "ScriptBlockText.*.*Get-ServiceUnquoted.*" -or $_.message -match "ScriptBlockText.*.*Get-ServiceFilePermission.*" -or $_.message -match "ScriptBlockText.*.*Get-ServicePermission.*" -or $_.message -match "ScriptBlockText.*.*Invoke-ServiceAbuse.*" -or $_.message -match "ScriptBlockText.*.*Install-ServiceBinary.*" -or $_.message -match "ScriptBlockText.*.*Get-RegAutoLogon.*" -or $_.message -match "ScriptBlockText.*.*Get-VulnAutoRun.*" -or $_.message -match "ScriptBlockText.*.*Get-VulnSchTask.*" -or $_.message -match "ScriptBlockText.*.*Get-UnattendedInstallFile.*" -or $_.message -match "ScriptBlockText.*.*Get-ApplicationHost.*" -or $_.message -match "ScriptBlockText.*.*Get-RegAlwaysInstallElevated.*" -or $_.message -match "ScriptBlockText.*.*Get-Unconstrained.*" -or $_.message -match "ScriptBlockText.*.*Add-RegBackdoor.*" -or $_.message -match "ScriptBlockText.*.*Add-ScrnSaveBackdoor.*" -or $_.message -match "ScriptBlockText.*.*Gupt-Backdoor.*" -or $_.message -match "ScriptBlockText.*.*Invoke-ADSBackdoor.*" -or $_.message -match "ScriptBlockText.*.*Enabled-DuplicateToken.*" -or $_.message -match "ScriptBlockText.*.*Invoke-PsUaCme.*" -or $_.message -match "ScriptBlockText.*.*Remove-Update.*" -or $_.message -match "ScriptBlockText.*.*Check-VM.*" -or $_.message -match "ScriptBlockText.*.*Get-LSASecret.*" -or $_.message -match "ScriptBlockText.*.*Get-PassHashes.*" -or $_.message -match "ScriptBlockText.*.*Show-TargetScreen.*" -or $_.message -match "ScriptBlockText.*.*Port-Scan.*" -or $_.message -match "ScriptBlockText.*.*Invoke-PoshRatHttp.*" -or $_.message -match "ScriptBlockText.*.*Invoke-PowerShellTCP.*" -or $_.message -match "ScriptBlockText.*.*Invoke-PowerShellWMI.*" -or $_.message -match "ScriptBlockText.*.*Add-Exfiltration.*" -or $_.message -match "ScriptBlockText.*.*Add-Persistence.*" -or $_.message -match "ScriptBlockText.*.*Do-Exfiltration.*" -or $_.message -match "ScriptBlockText.*.*Start-CaptureServer.*" -or $_.message -match "ScriptBlockText.*.*Get-ChromeDump.*" -or $_.message -match "ScriptBlockText.*.*Get-ClipboardContents.*" -or $_.message -match "ScriptBlockText.*.*Get-FoxDump.*" -or $_.message -match "ScriptBlockText.*.*Get-IndexedItem.*" -or $_.message -match "ScriptBlockText.*.*Get-Screenshot.*" -or $_.message -match "ScriptBlockText.*.*Invoke-Inveigh.*" -or $_.message -match "ScriptBlockText.*.*Invoke-NetRipper.*" -or $_.message -match "ScriptBlockText.*.*Invoke-EgressCheck.*" -or $_.message -match "ScriptBlockText.*.*Invoke-PostExfil.*" -or $_.message -match "ScriptBlockText.*.*Invoke-PSInject.*" -or $_.message -match "ScriptBlockText.*.*Invoke-RunAs.*" -or $_.message -match "ScriptBlockText.*.*MailRaider.*" -or $_.message -match "ScriptBlockText.*.*New-HoneyHash.*" -or $_.message -match "ScriptBlockText.*.*Set-MacAttribute.*" -or $_.message -match "ScriptBlockText.*.*Invoke-DCSync.*" -or $_.message -match "ScriptBlockText.*.*Invoke-PowerDump.*" -or $_.message -match "ScriptBlockText.*.*Exploit-Jboss.*" -or $_.message -match "ScriptBlockText.*.*Invoke-ThunderStruck.*" -or $_.message -match "ScriptBlockText.*.*Invoke-VoiceTroll.*" -or $_.message -match "ScriptBlockText.*.*Set-Wallpaper.*" -or $_.message -match "ScriptBlockText.*.*Invoke-InveighRelay.*" -or $_.message -match "ScriptBlockText.*.*Invoke-PsExec.*" -or $_.message -match "ScriptBlockText.*.*Invoke-SSHCommand.*" -or $_.message -match "ScriptBlockText.*.*Get-SecurityPackages.*" -or $_.message -match "ScriptBlockText.*.*Install-SSP.*" -or $_.message -match "ScriptBlockText.*.*Invoke-BackdoorLNK.*" -or $_.message -match "ScriptBlockText.*.*PowerBreach.*" -or $_.message -match "ScriptBlockText.*.*Get-SiteListPassword.*" -or $_.message -match "ScriptBlockText.*.*Get-System.*" -or $_.message -match "ScriptBlockText.*.*Invoke-BypassUAC.*" -or $_.message -match "ScriptBlockText.*.*Invoke-Tater.*" -or $_.message -match "ScriptBlockText.*.*Invoke-WScriptBypassUAC.*" -or $_.message -match "ScriptBlockText.*.*PowerUp.*" -or $_.message -match "ScriptBlockText.*.*PowerView.*" -or $_.message -match "ScriptBlockText.*.*Get-RickAstley.*" -or $_.message -match "ScriptBlockText.*.*Find-Fruit.*" -or $_.message -match "ScriptBlockText.*.*HTTP-Login.*" -or $_.message -match "ScriptBlockText.*.*Find-TrustedDocuments.*" -or $_.message -match "ScriptBlockText.*.*Invoke-Paranoia.*" -or $_.message -match "ScriptBlockText.*.*Invoke-WinEnum.*" -or $_.message -match "ScriptBlockText.*.*Invoke-ARPScan.*" -or $_.message -match "ScriptBlockText.*.*Invoke-PortScan.*" -or $_.message -match "ScriptBlockText.*.*Invoke-ReverseDNSLookup.*" -or $_.message -match "ScriptBlockText.*.*Invoke-SMBScanner.*" -or $_.message -match "ScriptBlockText.*.*Invoke-Mimikittenz.*" -or $_.message -match "ScriptBlockText.*.*Invoke-AllChecks.*")) -and  -not ($_.ID -eq "4104" -and ($_.message -match "ScriptBlockText.*.*Get-SystemDriveInfo.*"))) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message

Rules/sigma_tmp/powershell_malicious_keywords.ps1

@@ -0,0 +1 @@
+Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational | where {(($_.message -match ".*AdjustTokenPrivileges.*" -or $_.message -match ".*IMAGE_NT_OPTIONAL_HDR64_MAGIC.*" -or $_.message -match ".*Microsoft.Win32.UnsafeNativeMethods.*" -or $_.message -match ".*ReadProcessMemory.Invoke.*" -or $_.message -match ".*SE_PRIVILEGE_ENABLED.*" -or $_.message -match ".*LSA_UNICODE_STRING.*" -or $_.message -match ".*MiniDumpWriteDump.*" -or $_.message -match ".*PAGE_EXECUTE_READ.*" -or $_.message -match ".*SECURITY_DELEGATION.*" -or $_.message -match ".*TOKEN_ADJUST_PRIVILEGES.*" -or $_.message -match ".*TOKEN_ALL_ACCESS.*" -or $_.message -match ".*TOKEN_ASSIGN_PRIMARY.*" -or $_.message -match ".*TOKEN_DUPLICATE.*" -or $_.message -match ".*TOKEN_ELEVATION.*" -or $_.message -match ".*TOKEN_IMPERSONATE.*" -or $_.message -match ".*TOKEN_INFORMATION_CLASS.*" -or $_.message -match ".*TOKEN_PRIVILEGES.*" -or $_.message -match ".*TOKEN_QUERY.*" -or $_.message -match ".*Metasploit.*" -or $_.message -match ".*Mimikatz.*")) } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message