Suspicious PowerShell Invocations - Specific - PowerShell Module

calendar Jan 29, 2024 · attack.execution attack.t1059.001  ·
Share on: linkedin copy

Detects suspicious PowerShell invocation command parameters

Sigma rule (View on GitHub)

 1title: Suspicious PowerShell Invocations - Specific - PowerShell Module
 2id: 8ff28fdd-e2fa-4dfa-aeda-ef3d61c62090
 3related:
 4    - id: fce5f582-cc00-41e1-941a-c6fabf0fdb8c
 5      type: obsoletes
 6    - id: ae7fbf8e-f3cb-49fd-8db4-5f3bed522c71
 7      type: similar
 8    - id: 536e2947-3729-478c-9903-745aaffe60d2
 9      type: similar
10status: test
11description: Detects suspicious PowerShell invocation command parameters
12references:
13    - Internal Research
14author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro
15date: 2017/03/05
16modified: 2023/01/05
17tags:
18    - attack.execution
19    - attack.t1059.001
20logsource:
21    product: windows
22    category: ps_module
23    definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
24detection:
25    selection_convert_b64:
26        ContextInfo|contains|all:
27            - '-nop'
28            - ' -w '
29            - 'hidden'
30            - ' -c '
31            - '[Convert]::FromBase64String'
32    selection_iex:
33        ContextInfo|contains|all:
34            - ' -w '
35            - 'hidden'
36            - '-noni'
37            - '-nop'
38            - ' -c '
39            - 'iex'
40            - 'New-Object'
41    selection_enc:
42        ContextInfo|contains|all:
43            - ' -w '
44            - 'hidden'
45            - '-ep'
46            - 'bypass'
47            - '-Enc'
48    selection_reg:
49        ContextInfo|contains|all:
50            - 'powershell'
51            - 'reg'
52            - 'add'
53            - 'HKCU\software\microsoft\windows\currentversion\run'
54    selection_webclient:
55        ContextInfo|contains|all:
56            - 'bypass'
57            - '-noprofile'
58            - '-windowstyle'
59            - 'hidden'
60            - 'new-object'
61            - 'system.net.webclient'
62            - '.download'
63    selection_iex_webclient:
64        ContextInfo|contains|all:
65            - 'iex'
66            - 'New-Object'
67            - 'Net.WebClient'
68            - '.Download'
69    filter_chocolatey:
70        ContextInfo|contains:
71            - "(New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1"
72            - 'Write-ChocolateyWarning'
73    condition: 1 of selection_* and not 1 of filter_*
74falsepositives:
75    - Unknown
76level: high

References

Related rules

to-top