Processes Executing with Unusual Command Lines
Detects powershell command lines used with a process name besides powershell. Part of the RedCanary 2024 Threat Detection Report.
Sigma rule (View on GitHub)
1title: Processes Executing with Unusual Command Lines
2id: 4108fe33-1d66-4111-a698-53b4ecc15dc4
3status: experimental
4description: |
5 Detects powershell command lines used with a process name besides powershell. Part
6 of the RedCanary 2024 Threat Detection Report.
7references:
8 - https://redcanary.com/threat-detection-report/techniques/rename-system-utilities/
9author: RedCanary, Sigma formatting by Micah Babinski
10date: 2024/03/21
11tags:
12 - attack.defense_evasion
13 - attack.t1036
14 - attack.t1036.003
15logsource:
16 category: process_creation
17 product: windows
18detection:
19 selection:
20 CommandLine|contains:
21 - 'iex'
22 - 'invoke-expression'
23 filter:
24 Image|endswith: '\powershell.exe'
25 condition: selection and not filter
26falsepositives:
27 - Unknown
28level: low```
References
-
Adversaries rename system utilities to circumvent security controls and bypass detection logic dependent on process names and process paths.
Read More
Related rules
- Unexpected Internal Process Name
- Potential Homoglyph Attack Using Lookalike Characters
- Suspicious Use of Rcedit Utility to Alter Executable Metadata
- Command or Scripting Interpreter Creating EXE File
- File Creation of Executables in Temp Folders (Event 4663)