Suspicious PowerShell Invocations - Specific

Detects suspicious PowerShell invocation command parameters

Sigma rule (View on GitHub)

 1title: Suspicious PowerShell Invocations - Specific
 2id: ae7fbf8e-f3cb-49fd-8db4-5f3bed522c71
 3related:
 4    - id: fce5f582-cc00-41e1-941a-c6fabf0fdb8c
 5      type: obsolete
 6    - id: 8ff28fdd-e2fa-4dfa-aeda-ef3d61c62090
 7      type: similar
 8    - id: 536e2947-3729-478c-9903-745aaffe60d2
 9      type: similar
10status: test
11description: Detects suspicious PowerShell invocation command parameters
12references:
13    - Internal Research
14    - https://github.com/HackTricks-wiki/hacktricks/blob/e4c7b21b8f36c97c35b7c622732b38a189ce18f7/src/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.md
15author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro
16date: 2017-03-05
17modified: 2025-02-17
18tags:
19    - attack.execution
20    - attack.t1059.001
21logsource:
22    product: windows
23    category: ps_script
24    definition: 'Requirements: Script Block Logging must be enabled'
25detection:
26    selection_convert_b64:
27        ScriptBlockText|contains|all:
28            - '-nop'
29            - ' -w '
30            - 'hidden'
31            - ' -c '
32            - '[Convert]::FromBase64String'
33    selection_iex_selection:
34        ScriptBlockText|contains|all:
35            - ' -w '
36            - 'hidden'
37            - '-noni'
38            - '-nop'
39            - ' -c '
40            - 'iex'
41            - 'New-Object'
42    selection_enc_selection:
43        ScriptBlockText|contains|all:
44            - ' -w '
45            - 'hidden'
46            - '-ep'
47            - 'bypass'
48            - '-Enc'
49    selection_reg_selection:
50        ScriptBlockText|contains|all:
51            - 'powershell'
52            - 'reg'
53            - 'add'
54        ScriptBlockText|contains:
55            - '\software\microsoft\windows\currentversion\run'
56            - '\software\wow6432node\microsoft\windows\currentversion\run'
57            - '\software\microsoft\windows\currentversion\policies\explorer\run'
58    selection_webclient_selection:
59        ScriptBlockText|contains|all:
60            - 'bypass'
61            - '-noprofile'
62            - '-windowstyle'
63            - 'hidden'
64            - 'new-object'
65            - 'system.net.webclient'
66            - '.download'
67    selection_iex_webclient:
68        ScriptBlockText|contains|all:
69            - 'iex'
70            - 'New-Object'
71            - 'Net.WebClient'
72            - '.Download'
73    filter_chocolatey:
74        ScriptBlockText|contains:
75            - "(New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1"
76            - "(New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1')"
77            - 'Write-ChocolateyWarning'
78    condition: 1 of selection_* and not 1 of filter_*
79falsepositives:
80    - Unknown
81level: high

References

Related rules

to-top