Suspicious PowerShell Invocations - Generic - PowerShell Module

Detects suspicious PowerShell invocation command parameters

Sigma rule (View on GitHub)

 1title: Suspicious PowerShell Invocations - Generic - PowerShell Module
 2id: bbb80e91-5746-4fbe-8898-122e2cafdbf4
 3related:
 4    - id: 3d304fda-78aa-43ed-975c-d740798a49c1
 5      type: derived
 6    - id: ed965133-513f-41d9-a441-e38076a0798f
 7      type: similar
 8status: test
 9description: Detects suspicious PowerShell invocation command parameters
10author: Florian Roth (Nextron Systems)
11date: 2017/03/12
12modified: 2023/01/03
13tags:
14    - attack.execution
15    - attack.t1059.001
16logsource:
17    product: windows
18    category: ps_module
19    definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
20detection:
21    selection_encoded:
22        ContextInfo|contains:
23            - ' -enc '
24            - ' -EncodedCommand '
25            - ' -ec '
26    selection_hidden:
27        ContextInfo|contains:
28            - ' -w hidden '
29            - ' -window hidden '
30            - ' -windowstyle hidden '
31            - ' -w 1 '
32    selection_noninteractive:
33        ContextInfo|contains:
34            - ' -noni '
35            - ' -noninteractive '
36    condition: all of selection*
37falsepositives:
38    - Very special / sneaky PowerShell scripts
39level: high

Related rules

to-top