Suspicious Windows Powershell Arguments

  1[metadata]
  2creation_date = "2024/09/06"
  3integration = ["windows", "system", "sentinel_one_cloud_funnel", "m365_defender", "crowdstrike"]
  4maturity = "production"
  5min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
  6min_stack_version = "8.14.0"
  7updated_date = "2025/01/15"
  8
  9[rule]
 10author = ["Elastic"]
 11description = """
 12Identifies the execution of PowerShell with suspicious argument values. This behavior is often observed during malware
 13installation leveraging PowerShell.
 14"""
 15from = "now-9m"
 16index = [
 17    "winlogbeat-*",
 18    "logs-windows.*",
 19    "logs-system.security*",
 20    "logs-windows.sysmon_operational-*",
 21    "logs-sentinel_one_cloud_funnel.*",
 22    "logs-m365_defender.event-*",
 23    "logs-crowdstrike.fdr*"
 24]
 25language = "eql"
 26license = "Elastic License v2"
 27name = "Suspicious Windows Powershell Arguments"
 28risk_score = 73
 29rule_id = "83bf249e-4348-47ba-9741-1202a09556ad"
 30severity = "high"
 31tags = [
 32    "Domain: Endpoint",
 33    "OS: Windows",
 34    "Use Case: Threat Detection",
 35    "Tactic: Execution",
 36    "Data Source: System",
 37    "Data Source: Sysmon",
 38    "Data Source: SentinelOne",
 39    "Data Source: Microsoft Defender for Endpoint",
 40    "Data Source: Crowdstrike",
 41    "Resources: Investigation Guide"
 42]
 43timestamp_override = "event.ingested"
 44type = "eql"
 45
 46query = '''
 47process where host.os.type == "windows" and event.type == "start" and
 48 process.name : "powershell.exe" and
 49  (
 50   process.command_line :
 51        (
 52          "*^*^*^*^*^*^*^*^*^*",
 53          "*`*`*`*`*",
 54          "*+*+*+*+*+*+*",
 55          "*[char[]](*)*-join*",
 56          "*Base64String*",
 57          "*[*Convert]*",
 58          "*.Compression.*",
 59          "*-join($*",
 60          "*.replace*",
 61          "*MemoryStream*",
 62          "*WriteAllBytes*",
 63          "* -enc *",
 64          "* -ec *",
 65          "* /e *",
 66          "* /enc *",
 67          "* /ec *",
 68          "*WebClient*",
 69          "*DownloadFile*",
 70          "*DownloadString*",
 71          "* iex*",
 72          "* iwr*",
 73          "*Reflection.Assembly*",
 74          "*Assembly.GetType*",
 75          "*$env:temp\\*start*",
 76          "*powercat*",
 77          "*nslookup -q=txt*",
 78          "*$host.UI.PromptForCredential*",
 79          "*Net.Sockets.TCPClient*",
 80          "*curl *;Start*",
 81          "powershell.exe \"<#*",
 82          "*ssh -p *",
 83          "*http*|iex*",
 84          "*@SSL\\DavWWWRoot\\*.ps1*",
 85          "*.lnk*.Seek(0x*",
 86          "*[string]::join(*",
 87          "*[Array]::Reverse($*",
 88          "* hidden $(gc *",
 89          "*=wscri& set*",
 90          "*http'+'s://*",
 91          "*.content|i''Ex*",
 92          "*//:sptth*",
 93          "*//:ptth*",
 94          "*$*=Get-Content*AppData*.SubString(*$*",
 95          "*=cat *AppData*.substring(*);*$*"
 96        ) or
 97
 98      (process.args : "-c" and process.args : "&{'*") or
 99
100      (process.args : "-Outfile" and process.args : "Start*") or
101
102      (process.args : "-bxor" and process.args : "0x*") or
103
104      process.args : "$*$*;set-alias" or
105
106      (process.parent.name : ("explorer.exe", "cmd.exe") and
107       process.command_line : ("*-encodedCommand*", "*Invoke-webrequest*", "*WebClient*", "*Reflection.Assembly*"))
108  )
109'''
110note = """## Triage and analysis
111
112> **Disclaimer**:
113> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
114
115### Investigating Suspicious Windows Powershell Arguments
116
117PowerShell is a powerful scripting language and command-line shell used for task automation and configuration management in Windows environments. Adversaries exploit PowerShell's capabilities to execute malicious scripts, download payloads, and obfuscate commands. The detection rule identifies unusual PowerShell arguments indicative of such abuse, focusing on patterns like encoded commands, suspicious downloads, and obfuscation techniques, thereby flagging potential threats for further investigation.
118
119### Possible investigation steps
120
121- Review the process command line and arguments to identify any encoded or obfuscated content, such as Base64 strings or unusual character sequences, which may indicate malicious intent.
122- Check the parent process of the PowerShell execution, especially if it is explorer.exe or cmd.exe, to determine if the PowerShell instance was launched from a suspicious or unexpected source.
123- Investigate any network activity associated with the PowerShell process, particularly looking for connections to known malicious domains or IP addresses, or the use of suspicious commands like DownloadFile or DownloadString.
124- Examine the user account associated with the PowerShell execution to determine if it aligns with expected behavior or if it might be compromised.
125- Correlate the event with other security alerts or logs from the same host or user to identify patterns or additional indicators of compromise.
126- Assess the risk and impact of the detected activity by considering the context of the environment, such as the presence of sensitive data or critical systems that might be affected.
127
128### False positive analysis
129
130- Legitimate administrative scripts may use encoded commands for obfuscation to protect sensitive data. Review the script's source and purpose to determine if it is authorized. If confirmed, add the script's hash or specific command pattern to an allowlist.
131- Automated software deployment tools might use PowerShell to download and execute scripts from trusted internal sources. Verify the source and destination of the download. If legitimate, exclude the specific tool or process from the detection rule.
132- System maintenance tasks often involve PowerShell scripts that manipulate files or system settings. Identify routine maintenance scripts and exclude their specific command patterns or file paths from triggering the rule.
133- Security software may use PowerShell for scanning or remediation tasks, which can mimic suspicious behavior. Confirm the software's legitimacy and add its processes to an exception list to prevent false alerts.
134- Developers might use PowerShell for testing or development purposes, which can include obfuscation techniques. Validate the developer's activities and exclude their specific development environments or scripts from the rule.
135
136### Response and remediation
137
138- Immediately isolate the affected system from the network to prevent further spread or communication with potential command and control servers.
139- Terminate any suspicious PowerShell processes identified by the detection rule to halt ongoing malicious activities.
140- Conduct a thorough scan of the affected system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any malicious payloads or scripts.
141- Review and clean up any unauthorized changes to system configurations or scheduled tasks that may have been altered by the malicious PowerShell activity.
142- Restore any affected files or system components from known good backups to ensure system integrity and functionality.
143- Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional systems are compromised.
144- Implement additional monitoring and logging for PowerShell activities across the network to enhance detection of similar threats in the future."""
145
146
147[[rule.threat]]
148framework = "MITRE ATT&CK"
149[[rule.threat.technique]]
150id = "T1059"
151name = "Command and Scripting Interpreter"
152reference = "https://attack.mitre.org/techniques/T1059/"
153[[rule.threat.technique.subtechnique]]
154id = "T1059.001"
155name = "PowerShell"
156reference = "https://attack.mitre.org/techniques/T1059/001/"
157
158
159
160[rule.threat.tactic]
161id = "TA0002"
162name = "Execution"
163reference = "https://attack.mitre.org/tactics/TA0002/"