Suspicious PowerShell Invocations - Generic
Detects suspicious PowerShell invocation command parameters
Sigma rule (View on GitHub)
1title: Suspicious PowerShell Invocations - Generic
2id: ed965133-513f-41d9-a441-e38076a0798f
3related:
4 - id: 3d304fda-78aa-43ed-975c-d740798a49c1
5 type: derived
6 - id: bbb80e91-5746-4fbe-8898-122e2cafdbf4
7 type: similar
8status: test
9description: Detects suspicious PowerShell invocation command parameters
10references:
11 - Internal Research
12author: Florian Roth (Nextron Systems)
13date: 2017/03/12
14modified: 2023/01/03
15tags:
16 - attack.execution
17 - attack.t1059.001
18logsource:
19 product: windows
20 category: ps_script
21 definition: 'Requirements: Script Block Logging must be enabled'
22detection:
23 selection_encoded:
24 ScriptBlockText|contains:
25 - ' -enc '
26 - ' -EncodedCommand '
27 - ' -ec '
28 selection_hidden:
29 ScriptBlockText|contains:
30 - ' -w hidden '
31 - ' -window hidden '
32 - ' -windowstyle hidden '
33 - ' -w 1 '
34 selection_noninteractive:
35 ScriptBlockText|contains:
36 - ' -noni '
37 - ' -noninteractive '
38 condition: all of selection*
39falsepositives:
40 - Very special / sneaky PowerShell scripts
41level: high
References
Related rules
- Malicious PowerShell Commandlets - PoshModule
- Malicious PowerShell Commandlets - ProcessCreation
- Malicious PowerShell Commandlets - ScriptBlock
- Malicious PowerShell Scripts - FileCreation
- Malicious PowerShell Scripts - PoshModule