Suspicious Windows Powershell Arguments
Identifies the execution of PowerShell with suspicious argument values. This behavior is often observed during malware installation leveraging PowerShell.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2024/09/06"
3integration = ["windows", "system", "sentinel_one_cloud_funnel", "m365_defender"]
4maturity = "production"
5min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
6min_stack_version = "8.14.0"
7updated_date = "2024/10/15"
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies the execution of PowerShell with suspicious argument values. This behavior is often observed during malware
13installation leveraging PowerShell.
14"""
15from = "now-9m"
16index = [
17 "winlogbeat-*",
18 "logs-windows.*",
19 "logs-system.security*",
20 "logs-windows.sysmon_operational-*",
21 "logs-sentinel_one_cloud_funnel.*",
22 "logs-m365_defender.event-*"
23]
24language = "eql"
25license = "Elastic License v2"
26name = "Suspicious Windows Powershell Arguments"
27risk_score = 73
28rule_id = "83bf249e-4348-47ba-9741-1202a09556ad"
29severity = "high"
30tags = [
31 "Domain: Endpoint",
32 "OS: Windows",
33 "Use Case: Threat Detection",
34 "Tactic: Execution",
35 "Data Source: System",
36 "Data Source: Sysmon",
37 "Data Source: SentinelOne",
38 "Data Source: Microsoft Defender for Endpoint"
39]
40timestamp_override = "event.ingested"
41type = "eql"
42
43query = '''
44process where host.os.type == "windows" and event.type == "start" and
45 process.name : "powershell.exe" and
46 (
47 process.command_line :
48 (
49 "*^*^*^*^*^*^*^*^*^*",
50 "*`*`*`*`*",
51 "*+*+*+*+*+*+*",
52 "*[char[]](*)*-join*",
53 "*Base64String*",
54 "*[*Convert]*",
55 "*.Compression.*",
56 "*-join($*",
57 "*.replace*",
58 "*MemoryStream*",
59 "*WriteAllBytes*",
60 "* -enc *",
61 "* -ec *",
62 "* /e *",
63 "* /enc *",
64 "* /ec *",
65 "*WebClient*",
66 "*DownloadFile*",
67 "*DownloadString*",
68 "* iex*",
69 "* iwr*",
70 "*Reflection.Assembly*",
71 "*Assembly.GetType*",
72 "*$env:temp\\*start*",
73 "*powercat*",
74 "*nslookup -q=txt*",
75 "*$host.UI.PromptForCredential*",
76 "*Net.Sockets.TCPClient*",
77 "*curl *;Start*",
78 "powershell.exe \"<#*",
79 "*ssh -p *",
80 "*http*|iex*",
81 "*@SSL\\DavWWWRoot\\*.ps1*",
82 "*.lnk*.Seek(0x*",
83 "*[string]::join(*",
84 "*[Array]::Reverse($*",
85 "* hidden $(gc *",
86 "*=wscri& set*",
87 "*http'+'s://*",
88 "*.content|i''Ex*",
89 "*//:sptth*",
90 "*//:ptth*",
91 "*$*=Get-Content*AppData*.SubString(*$*",
92 "*=cat *AppData*.substring(*);*$*"
93 ) or
94
95 (process.args : "-c" and process.args : "&{'*") or
96
97 (process.args : "-Outfile" and process.args : "Start*") or
98
99 (process.args : "-bxor" and process.args : "0x*") or
100
101 process.args : "$*$*;set-alias" or
102
103 (process.parent.name : ("explorer.exe", "cmd.exe") and
104 process.command_line : ("*-encodedCommand*", "*Invoke-webrequest*", "*WebClient*", "*Reflection.Assembly*"))
105 )
106'''
107
108
109[[rule.threat]]
110framework = "MITRE ATT&CK"
111[[rule.threat.technique]]
112id = "T1059"
113name = "Command and Scripting Interpreter"
114reference = "https://attack.mitre.org/techniques/T1059/"
115[[rule.threat.technique.subtechnique]]
116id = "T1059.001"
117name = "PowerShell"
118reference = "https://attack.mitre.org/techniques/T1059/001/"
119
120
121
122[rule.threat.tactic]
123id = "TA0002"
124name = "Execution"
125reference = "https://attack.mitre.org/tactics/TA0002/"
Related rules
- Clearing Windows Console History
- Command Execution via SolarWinds Process
- Control Panel Process with Unusual Arguments
- Disabling Windows Defender Security Settings via PowerShell
- Enumeration Command Spawned via WMIPrvSE