Suspicious PowerShell Invocations - Generic

 1title: Suspicious PowerShell Invocations - Generic
 2id: ed965133-513f-41d9-a441-e38076a0798f
 3related:
 4    - id: 3d304fda-78aa-43ed-975c-d740798a49c1
 5      type: derived
 6    - id: bbb80e91-5746-4fbe-8898-122e2cafdbf4
 7      type: similar
 8status: test
 9description: Detects suspicious PowerShell invocation command parameters
10references:
11    - Internal Research
12author: Florian Roth (Nextron Systems)
13date: 2017-03-12
14modified: 2023-01-03
15tags:
16    - attack.execution
17    - attack.t1059.001
18logsource:
19    product: windows
20    category: ps_script
21    definition: 'Requirements: Script Block Logging must be enabled'
22detection:
23    selection_encoded:
24        ScriptBlockText|contains:
25            - ' -enc '
26            - ' -EncodedCommand '
27            - ' -ec '
28    selection_hidden:
29        ScriptBlockText|contains:
30            - ' -w hidden '
31            - ' -window hidden '
32            - ' -windowstyle hidden '
33            - ' -w 1 '
34    selection_noninteractive:
35        ScriptBlockText|contains:
36            - ' -noni '
37            - ' -noninteractive '
38    condition: all of selection*
39falsepositives:
40    - Very special / sneaky PowerShell scripts
41level: high