Add Windows Capability Via PowerShell Cmdlet

Title: Add Windows Capability Via PowerShell Cmdlet
Status: test
Description:Detects usage of the "Add-WindowsCapability" cmdlet to add Windows capabilities. Notable capabilities could be "OpenSSH" and others.
References:
  -https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse?tabs=powershell
  -https://www.virustotal.com/gui/file/af1c82237b6e5a3a7cdbad82cc498d298c67845d92971bada450023d1335e267/content
Author: Nasreddine Bencherchali (Nextron Systems)
Date: 2023-01-22
modified:2023-05-09
Tags:

• -'attack.execution'

Logsource:

• product: windows
• category: process_creation

Detection:
  selection_img:
    - Image|endswith:
      - '\powershell.exe'
      - '\pwsh.exe'
    - OriginalFileName:
      - 'PowerShell.EXE'
      - 'pwsh.dll'
  selection_cmdlet:
    CommandLine|contains: 'Add-WindowsCapability'
  selection_capa:
    CommandLine|contains: 'OpenSSH.'
  condition:all of selection_*
Falsepositives:
  -Legitimate usage of the capabilities by administrators or users. Add additional filters accordingly.
Level: medium