Processes Executing with Unusual Command Lines (RedCanary Threat Detection Report)
Detects non-powershell.exe processes executing with command lines that are usually associated with powershell. This is an example for demonstration purposes only. Part of the RedCanary 2023 Threat Detection Report.
Sigma rule (View on GitHub)
1title: Processes Executing with Unusual Command Lines (RedCanary Threat Detection Report)
2id: 23aafdd3-8476-49a0-8377-54d26bf7847f
3status: experimental
4description: |
5 Detects non-powershell.exe processes executing with command lines that are usually
6 associated with powershell. This is an example for demonstration purposes only.
7 Part of the RedCanary 2023 Threat Detection Report.
8references:
9 - https://redcanary.com/threat-detection-report/techniques/rename-system-utilities/
10author: RedCanary, Sigma formatting by Micah Babinski
11date: 2023/05/10
12tags:
13 - attack.defense_evasion
14 - attack.t1036.003
15logsource:
16 category: process_creation
17 product: windows
18detection:
19 selection:
20 CommandLine|contains:
21 - 'iex'
22 - 'invoke-expression'
23 filter_pwsh:
24 Image|endswith: '\powershell.exe'
25 condition: selection and not filter_pwsh
26falsepositives:
27 - Unknown
28level: low```
References
-
Adversaries rename system utilities to circumvent security controls and bypass detection logic dependent on process names and process paths.
Read More
Related rules
- Potential Homoglyph Attack Using Lookalike Characters
- Unexpected Internal Process Name (RedCanary Threat Detection Report)
- Renamed Autohotkey Binary
- Suspicious Use of Rcedit Utility to Alter Executable Metadata
- Command or Scripting Interpreter Creating EXE File