Suspicious PowerShell Invocations - Specific - PowerShell Module
Detects suspicious PowerShell invocation command parameters
Sigma rule (View on GitHub)
1title: Suspicious PowerShell Invocations - Specific - PowerShell Module
2id: 8ff28fdd-e2fa-4dfa-aeda-ef3d61c62090
3related:
4 - id: fce5f582-cc00-41e1-941a-c6fabf0fdb8c
5 type: derived
6 - id: ae7fbf8e-f3cb-49fd-8db4-5f3bed522c71
7 type: similar
8 - id: 536e2947-3729-478c-9903-745aaffe60d2
9 type: similar
10status: test
11description: Detects suspicious PowerShell invocation command parameters
12author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro
13date: 2017/03/05
14modified: 2023/01/05
15tags:
16 - attack.execution
17 - attack.t1059.001
18logsource:
19 product: windows
20 category: ps_module
21 definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
22detection:
23 selection_convert_b64:
24 ContextInfo|contains|all:
25 - '-nop'
26 - ' -w '
27 - 'hidden'
28 - ' -c '
29 - '[Convert]::FromBase64String'
30 selection_iex:
31 ContextInfo|contains|all:
32 - ' -w '
33 - 'hidden'
34 - '-noni'
35 - '-nop'
36 - ' -c '
37 - 'iex'
38 - 'New-Object'
39 selection_enc:
40 ContextInfo|contains|all:
41 - ' -w '
42 - 'hidden'
43 - '-ep'
44 - 'bypass'
45 - '-Enc'
46 selection_reg:
47 ContextInfo|contains|all:
48 - 'powershell'
49 - 'reg'
50 - 'add'
51 - 'HKCU\software\microsoft\windows\currentversion\run'
52 selection_webclient:
53 ContextInfo|contains|all:
54 - 'bypass'
55 - '-noprofile'
56 - '-windowstyle'
57 - 'hidden'
58 - 'new-object'
59 - 'system.net.webclient'
60 - '.download'
61 selection_iex_webclient:
62 ContextInfo|contains|all:
63 - 'iex'
64 - 'New-Object'
65 - 'Net.WebClient'
66 - '.Download'
67 filter_chocolatey:
68 ContextInfo|contains:
69 - "(New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1"
70 - 'Write-ChocolateyWarning'
71 condition: 1 of selection_* and not 1 of filter_*
72falsepositives:
73 - Unknown
74level: high
Related rules
- Change PowerShell Policies to an Insecure Level - PowerShell
- Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell
- Invoke-Obfuscation Obfuscated IEX Invocation - PowerShell Module
- Invoke-Obfuscation Via Use MSHTA - PowerShell Module
- Net WebClient Casing Anomalies