Process Executing with Unusual Command Lines

Looks for the execution of non-powershell process with command lines matching common powershell format. Inspired by the 2022 Red Canary Threat Detection report.

Sigma rule (View on GitHub)

 1title: Process Executing with Unusual Command Lines
 2id: 1b7bc524-7d66-4902-9524-0e22e5cbe667
 3status: experimental
 4description: Looks for the execution of non-powershell process with command lines
 5    matching common powershell format. Inspired by the 2022 Red Canary Threat Detection
 6    report.
 7references:
 8    - https://redcanary.com/threat-detection-report/techniques/rename-system-utilities/
 9author: Micah Babinski
10date: 2022/11/04
11tags:
12    - attack.defense_evasion
13    - attack.t1036.003
14logsource:
15    category: process_creation
16    product: windows
17detection:
18    filter:
19        Image|endswith: '\powershell.exe'
20    selection:
21        CommandLine|contains:
22            - 'iex'
23            - 'invoke-expression'
24    condition: selection and not filter
25falsepositives:
26    - Unknown
27level: high```

References

Related rules

to-top