Suspicious PowerShell Invocations - Specific

Detects suspicious PowerShell invocation command parameters

Sigma rule (View on GitHub)

 1title: Suspicious PowerShell Invocations - Specific
 2id: ae7fbf8e-f3cb-49fd-8db4-5f3bed522c71
 3related:
 4    - id: fce5f582-cc00-41e1-941a-c6fabf0fdb8c
 5      type: derived
 6    - id: 8ff28fdd-e2fa-4dfa-aeda-ef3d61c62090
 7      type: similar
 8    - id: 536e2947-3729-478c-9903-745aaffe60d2
 9      type: similar
10status: test
11description: Detects suspicious PowerShell invocation command parameters
12author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro
13date: 2017/03/05
14modified: 2023/01/05
15tags:
16    - attack.execution
17    - attack.t1059.001
18logsource:
19    product: windows
20    category: ps_script
21    definition: 'Requirements: Script Block Logging must be enabled'
22detection:
23    selection_convert_b64:
24        ScriptBlockText|contains|all:
25            - '-nop'
26            - ' -w '
27            - 'hidden'
28            - ' -c '
29            - '[Convert]::FromBase64String'
30    selection_iex_selection:
31        ScriptBlockText|contains|all:
32            - ' -w '
33            - 'hidden'
34            - '-noni'
35            - '-nop'
36            - ' -c '
37            - 'iex'
38            - 'New-Object'
39    selection_enc_selection:
40        ScriptBlockText|contains|all:
41            - ' -w '
42            - 'hidden'
43            - '-ep'
44            - 'bypass'
45            - '-Enc'
46    selection_reg_selection:
47        ScriptBlockText|contains|all:
48            - 'powershell'
49            - 'reg'
50            - 'add'
51            - 'HKCU\software\microsoft\windows\currentversion\run'
52    selection_webclient_selection:
53        ScriptBlockText|contains|all:
54            - 'bypass'
55            - '-noprofile'
56            - '-windowstyle'
57            - 'hidden'
58            - 'new-object'
59            - 'system.net.webclient'
60            - '.download'
61    selection_iex_webclient:
62        ScriptBlockText|contains|all:
63            - 'iex'
64            - 'New-Object'
65            - 'Net.WebClient'
66            - '.Download'
67    filter_chocolatey:
68        ScriptBlockText|contains:
69            - "(New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1"
70            - "(New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1')"
71            - 'Write-ChocolateyWarning'
72    condition: 1 of selection_* and not 1 of filter_*
73falsepositives:
74    - Unknown
75level: high

Related rules

to-top