Suspicious PowerShell Invocations - Specific - PowerShell Module
Detects suspicious PowerShell invocation command parameters
Sigma rule (View on GitHub)
1title: Suspicious PowerShell Invocations - Specific - PowerShell Module
2id: 8ff28fdd-e2fa-4dfa-aeda-ef3d61c62090
3related:
4 - id: fce5f582-cc00-41e1-941a-c6fabf0fdb8c
5 type: obsolete
6 - id: ae7fbf8e-f3cb-49fd-8db4-5f3bed522c71
7 type: similar
8 - id: 536e2947-3729-478c-9903-745aaffe60d2
9 type: similar
10status: test
11description: Detects suspicious PowerShell invocation command parameters
12references:
13 - Internal Research
14 - https://github.com/HackTricks-wiki/hacktricks/blob/e4c7b21b8f36c97c35b7c622732b38a189ce18f7/src/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.md
15author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro
16date: 2017-03-05
17modified: 2025-02-17
18tags:
19 - attack.execution
20 - attack.t1059.001
21logsource:
22 product: windows
23 category: ps_module
24 definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
25detection:
26 selection_convert_b64:
27 ContextInfo|contains|all:
28 - '-nop'
29 - ' -w '
30 - 'hidden'
31 - ' -c '
32 - '[Convert]::FromBase64String'
33 selection_iex:
34 ContextInfo|contains|all:
35 - ' -w '
36 - 'hidden'
37 - '-noni'
38 - '-nop'
39 - ' -c '
40 - 'iex'
41 - 'New-Object'
42 selection_enc:
43 ContextInfo|contains|all:
44 - ' -w '
45 - 'hidden'
46 - '-ep'
47 - 'bypass'
48 - '-Enc'
49 selection_reg:
50 ContextInfo|contains|all:
51 - 'powershell'
52 - 'reg'
53 - 'add'
54 ContextInfo|contains:
55 - '\software\microsoft\windows\currentversion\run'
56 - '\software\wow6432node\microsoft\windows\currentversion\run'
57 - '\software\microsoft\windows\currentversion\policies\explorer\run'
58 selection_webclient:
59 ContextInfo|contains|all:
60 - 'bypass'
61 - '-noprofile'
62 - '-windowstyle'
63 - 'hidden'
64 - 'new-object'
65 - 'system.net.webclient'
66 - '.download'
67 selection_iex_webclient:
68 ContextInfo|contains|all:
69 - 'iex'
70 - 'New-Object'
71 - 'Net.WebClient'
72 - '.Download'
73 filter_chocolatey:
74 ContextInfo|contains:
75 - "(New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1"
76 - 'Write-ChocolateyWarning'
77 condition: 1 of selection_* and not 1 of filter_*
78falsepositives:
79 - Unknown
80level: high
References
Related rules
- Suspicious PowerShell Invocations - Specific
- Suspicious CrushFTP Child Process
- Obfuscated PowerShell OneLiner Execution
- Scheduled Task Executing Encoded Payload from Registry
- Custom Cobalt Strike Command Execution