Powershell Obfuscated Commands (RedCanary Threat Detection Report)
Detects powershell command line strings with high numbers of suspicious characters, potentially for obfuscation. Part of the RedCanary 2023 Threat Detection Report.
Sigma rule (View on GitHub)
1title: Powershell Obfuscated Commands (RedCanary Threat Detection Report)
2id: df39fa21-d6b5-490e-85ef-d9b379707ac8
3status: experimental
4description: Detects powershell command line strings with high numbers of suspicious characters, potentially for obfuscation. Part of the RedCanary 2023 Threat Detection Report.
5references:
6 - https://redcanary.com/threat-detection-report/techniques/powershell/
7author: RedCanary, Sigma formatting by Micah Babinski
8date: 2023/05/10
9tags:
10 - attack.execution
11 - attack.t1059.001
12logsource:
13 category: process_creation
14 product: windows
15detection:
16 selection:
17 Image|endswith: '\powershell.exe'
18 # regex below looks for eight or more total instances of the suspicious characters
19 CommandLine|re: '^([^^=%![(; ]*[\^=%![(; ]){8,}[^^=%![(; ]*$'
20 condition: selection
21falsepositives:
22 - Legitimate processes with long or convoluted command lines.
23level: low```
References
-
PowerShell reclaimed its place as the most prevalent technique we detected in 2023, as adversaries continue to abuse the framework.
Read More
Related rules
- Powershell Base64 Encoding (RedCanary Threat Detection Report)
- Powershell Encoded Command Switch (RedCanary Threat Detection Report)
- Suspicious Powershell Commandlets (RedCanary Threat Detection Report)
- Invoke-Obfuscation CLIP+ Launcher
- Invoke-Obfuscation COMPRESS OBFUSCATION