Suspicious PowerShell Invocations - Generic - PowerShell Module

Detects suspicious PowerShell invocation command parameters

Sigma rule (View on GitHub)

 1title: Suspicious PowerShell Invocations - Generic - PowerShell Module
 2id: bbb80e91-5746-4fbe-8898-122e2cafdbf4
 3related:
 4    - id: 3d304fda-78aa-43ed-975c-d740798a49c1
 5      type: derived
 6    - id: ed965133-513f-41d9-a441-e38076a0798f
 7      type: similar
 8status: test
 9description: Detects suspicious PowerShell invocation command parameters
10references:
11    - Internal Research
12author: Florian Roth (Nextron Systems)
13date: 2017-03-12
14modified: 2023-01-03
15tags:
16    - attack.execution
17    - attack.t1059.001
18logsource:
19    product: windows
20    category: ps_module
21    definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
22detection:
23    selection_encoded:
24        ContextInfo|contains:
25            - ' -enc '
26            - ' -EncodedCommand '
27            - ' -ec '
28    selection_hidden:
29        ContextInfo|contains:
30            - ' -w hidden '
31            - ' -window hidden '
32            - ' -windowstyle hidden '
33            - ' -w 1 '
34    selection_noninteractive:
35        ContextInfo|contains:
36            - ' -noni '
37            - ' -noninteractive '
38    condition: all of selection*
39falsepositives:
40    - Very special / sneaky PowerShell scripts
41level: high

References

Related rules

to-top