Suspicious PowerShell Invocations - Generic - PowerShell Module
Detects suspicious PowerShell invocation command parameters
Sigma rule (View on GitHub)
1title: Suspicious PowerShell Invocations - Generic - PowerShell Module
2id: bbb80e91-5746-4fbe-8898-122e2cafdbf4
3related:
4 - id: 3d304fda-78aa-43ed-975c-d740798a49c1
5 type: derived
6 - id: ed965133-513f-41d9-a441-e38076a0798f
7 type: similar
8status: test
9description: Detects suspicious PowerShell invocation command parameters
10references:
11 - Internal Research
12author: Florian Roth (Nextron Systems)
13date: 2017-03-12
14modified: 2023-01-03
15tags:
16 - attack.execution
17 - attack.t1059.001
18logsource:
19 product: windows
20 category: ps_module
21 definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
22detection:
23 selection_encoded:
24 ContextInfo|contains:
25 - ' -enc '
26 - ' -EncodedCommand '
27 - ' -ec '
28 selection_hidden:
29 ContextInfo|contains:
30 - ' -w hidden '
31 - ' -window hidden '
32 - ' -windowstyle hidden '
33 - ' -w 1 '
34 selection_noninteractive:
35 ContextInfo|contains:
36 - ' -noni '
37 - ' -noninteractive '
38 condition: all of selection*
39falsepositives:
40 - Very special / sneaky PowerShell scripts
41level: high
References
Related rules
- AWS EC2 Startup Shell Script Change
- Alternate PowerShell Hosts - PowerShell Module
- Bad Opsec Powershell Code Artifacts
- BloodHound Collection Files
- Certificate Exported Via PowerShell