Suspicious Windows Powershell Arguments
Identifies the execution of PowerShell with suspicious argument values. This behavior is often observed during malware installation leveraging PowerShell.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2024/09/06"
3integration = ["windows", "system", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"]
4maturity = "production"
5min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
6min_stack_version = "8.14.0"
7updated_date = "2024/10/31"
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies the execution of PowerShell with suspicious argument values. This behavior is often observed during malware
13installation leveraging PowerShell.
14"""
15from = "now-9m"
16index = [
17 "winlogbeat-*",
18 "logs-windows.*",
19 "logs-system.security*",
20 "logs-windows.sysmon_operational-*",
21 "logs-sentinel_one_cloud_funnel.*",
22 "logs-m365_defender.event-*",
23 "logs-crowdstrike.fdr*"
24]
25language = "eql"
26license = "Elastic License v2"
27name = "Suspicious Windows Powershell Arguments"
28risk_score = 73
29rule_id = "83bf249e-4348-47ba-9741-1202a09556ad"
30severity = "high"
31tags = [
32 "Domain: Endpoint",
33 "OS: Windows",
34 "Use Case: Threat Detection",
35 "Tactic: Execution",
36 "Data Source: System",
37 "Data Source: Sysmon",
38 "Data Source: SentinelOne",
39 "Data Source: Microsoft Defender for Endpoint",
40 "Data Source: Crowdstrike"
41]
42timestamp_override = "event.ingested"
43type = "eql"
44
45query = '''
46process where host.os.type == "windows" and event.type == "start" and
47 process.name : "powershell.exe" and
48 (
49 process.command_line :
50 (
51 "*^*^*^*^*^*^*^*^*^*",
52 "*`*`*`*`*",
53 "*+*+*+*+*+*+*",
54 "*[char[]](*)*-join*",
55 "*Base64String*",
56 "*[*Convert]*",
57 "*.Compression.*",
58 "*-join($*",
59 "*.replace*",
60 "*MemoryStream*",
61 "*WriteAllBytes*",
62 "* -enc *",
63 "* -ec *",
64 "* /e *",
65 "* /enc *",
66 "* /ec *",
67 "*WebClient*",
68 "*DownloadFile*",
69 "*DownloadString*",
70 "* iex*",
71 "* iwr*",
72 "*Reflection.Assembly*",
73 "*Assembly.GetType*",
74 "*$env:temp\\*start*",
75 "*powercat*",
76 "*nslookup -q=txt*",
77 "*$host.UI.PromptForCredential*",
78 "*Net.Sockets.TCPClient*",
79 "*curl *;Start*",
80 "powershell.exe \"<#*",
81 "*ssh -p *",
82 "*http*|iex*",
83 "*@SSL\\DavWWWRoot\\*.ps1*",
84 "*.lnk*.Seek(0x*",
85 "*[string]::join(*",
86 "*[Array]::Reverse($*",
87 "* hidden $(gc *",
88 "*=wscri& set*",
89 "*http'+'s://*",
90 "*.content|i''Ex*",
91 "*//:sptth*",
92 "*//:ptth*",
93 "*$*=Get-Content*AppData*.SubString(*$*",
94 "*=cat *AppData*.substring(*);*$*"
95 ) or
96
97 (process.args : "-c" and process.args : "&{'*") or
98
99 (process.args : "-Outfile" and process.args : "Start*") or
100
101 (process.args : "-bxor" and process.args : "0x*") or
102
103 process.args : "$*$*;set-alias" or
104
105 (process.parent.name : ("explorer.exe", "cmd.exe") and
106 process.command_line : ("*-encodedCommand*", "*Invoke-webrequest*", "*WebClient*", "*Reflection.Assembly*"))
107 )
108'''
109
110
111[[rule.threat]]
112framework = "MITRE ATT&CK"
113[[rule.threat.technique]]
114id = "T1059"
115name = "Command and Scripting Interpreter"
116reference = "https://attack.mitre.org/techniques/T1059/"
117[[rule.threat.technique.subtechnique]]
118id = "T1059.001"
119name = "PowerShell"
120reference = "https://attack.mitre.org/techniques/T1059/001/"
121
122
123
124[rule.threat.tactic]
125id = "TA0002"
126name = "Execution"
127reference = "https://attack.mitre.org/tactics/TA0002/"
Related rules
- New ActiveSyncAllowedDeviceID Added via PowerShell
- Suspicious MS Office Child Process
- Volume Shadow Copy Deletion via PowerShell
- Command Execution via SolarWinds Process
- Enumeration Command Spawned via WMIPrvSE