Process Executing with Unusual Command Lines
Looks for the execution of non-powershell process with command lines matching common powershell format. Inspired by the 2022 Red Canary Threat Detection report.
Sigma rule (View on GitHub)
1title: Process Executing with Unusual Command Lines
2id: 1b7bc524-7d66-4902-9524-0e22e5cbe667
3status: experimental
4description: Looks for the execution of non-powershell process with command lines
5 matching common powershell format. Inspired by the 2022 Red Canary Threat Detection
6 report.
7references:
8 - https://redcanary.com/threat-detection-report/techniques/rename-system-utilities/
9author: Micah Babinski
10date: 2022/11/04
11tags:
12 - attack.defense_evasion
13 - attack.t1036.003
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 filter:
19 Image|endswith: '\powershell.exe'
20 selection:
21 CommandLine|contains:
22 - 'iex'
23 - 'invoke-expression'
24 condition: selection and not filter
25falsepositives:
26 - Unknown
27level: high```
References
-
Adversaries rename system utilities to circumvent security controls and bypass detection logic dependent on process names and process paths.
Read More
Related rules
- Process Executing with Unusual Command Lines
- Unexpected Internal Process Name
- Abusing PowerShell to Disable Defender Components
- Abusing PowerShell to Modify Defender Components
- Application Bypass with RunDLL32 and DllRegisterServer Function