Suspicious PowerShell Invocations - Generic - PowerShell Module
Detects suspicious PowerShell invocation command parameters
Sigma rule (View on GitHub)
1title: Suspicious PowerShell Invocations - Generic - PowerShell Module
2id: bbb80e91-5746-4fbe-8898-122e2cafdbf4
3related:
4 - id: 3d304fda-78aa-43ed-975c-d740798a49c1
5 type: derived
6 - id: ed965133-513f-41d9-a441-e38076a0798f
7 type: similar
8status: test
9description: Detects suspicious PowerShell invocation command parameters
10author: Florian Roth (Nextron Systems)
11date: 2017/03/12
12modified: 2023/01/03
13tags:
14 - attack.execution
15 - attack.t1059.001
16logsource:
17 product: windows
18 category: ps_module
19 definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
20detection:
21 selection_encoded:
22 ContextInfo|contains:
23 - ' -enc '
24 - ' -EncodedCommand '
25 - ' -ec '
26 selection_hidden:
27 ContextInfo|contains:
28 - ' -w hidden '
29 - ' -window hidden '
30 - ' -windowstyle hidden '
31 - ' -w 1 '
32 selection_noninteractive:
33 ContextInfo|contains:
34 - ' -noni '
35 - ' -noninteractive '
36 condition: all of selection*
37falsepositives:
38 - Very special / sneaky PowerShell scripts
39level: high
Related rules
- Change PowerShell Policies to an Insecure Level - PowerShell
- Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell
- Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell Module
- Invoke-Obfuscation Via Use MSHTA - PowerShell Module
- Net WebClient Casing Anomalies