Suspicious PowerShell Get-Command Execution With Glob Patterns

Rule Info

Name
Suspicious PowerShell Get-Command Execution With Glob Patterns
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects execution of obfuscated variations of PowerShell Get-Command using glob patterns (wildcards or character ranges), potentially used for command obfuscation and evasion
Reference
https://0xv1n.github.io/LOLGlobs/globs/powershell/get-content/
Date
2026-03-04 00:00:00
Modified
None
Id
8f3c2b1a-4d5e-6f7a-8b9c-0d1e2f3a4b5c
Tags
attack.execution attack.defense-evasion attack.t1059.001 attack.t1027.010
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022