PowerShell -encodedcommand Switch

calendar Mar 26, 2024 · attack.execution attack.t1059 attack.t1059.001 attack.defense_evasion attack.t1027  ·
Share on: linkedin copy

This detection analytic looks for the execution of powershell.exe with command lines that include variations of the -encodedcommand argument; PowerShell will recognize and accept anything from -e onward, and it will show up outside of the encoded bits. Part of the RedCanary 2024 Threat Detection Report.

Sigma rule (View on GitHub)

 1title: PowerShell -encodedcommand Switch
 2id: 2f0c5dcb-71aa-44d7-abc6-dac43f121138
 3status: experimental
 4description: |
 5    This detection analytic looks for the execution of powershell.exe with command 
 6    lines that include variations of the -encodedcommand argument; PowerShell will 
 7    recognize and accept anything from -e onward, and it will show up outside of 
 8    the encoded bits. Part of the RedCanary 2024 Threat Detection Report.    
 9references:
10    - https://redcanary.com/threat-detection-report/techniques/powershell/
11author: RedCanary, Sigma formatting by Micah Babinski
12date: 2024/03/21
13tags:
14    - attack.execution
15    - attack.t1059
16    - attack.t1059.001
17    - attack.defense_evasion
18    - attack.t1027
19logsource:
20    category: process_creation
21    product: windows
22detection:
23    selection:
24        Image|endswith: '\powershell.exe'
25        CommandLine|contains:
26            - '-e '
27            - '-en '
28            - '-enc '
29            - '-enco '
30    condition: selection
31falsepositives:
32    - Unknown
33level: low```

References

Related rules

to-top