HackTool - Empire PowerShell Launch Parameters

calendar Aug 12, 2024 · attack.execution attack.t1059.001  ·
Share on: linkedin copy

Detects suspicious powershell command line parameters used in Empire

Sigma rule (View on GitHub)

 1title: HackTool - Empire PowerShell Launch Parameters
 2id: 79f4ede3-402e-41c8-bc3e-ebbf5f162581
 3status: test
 4description: Detects suspicious powershell command line parameters used in Empire
 5references:
 6    - https://github.com/EmpireProject/Empire/blob/c2ba61ca8d2031dad0cfc1d5770ba723e8b710db/lib/common/helpers.py#L165
 7    - https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/deaduser.py#L191
 8    - https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/resolver.py#L178
 9    - https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64
10author: Florian Roth (Nextron Systems)
11date: 2019-04-20
12modified: 2023-02-21
13tags:
14    - attack.execution
15    - attack.t1059.001
16logsource:
17    category: process_creation
18    product: windows
19detection:
20    selection:
21        CommandLine|contains:
22            - ' -NoP -sta -NonI -W Hidden -Enc '
23            - ' -noP -sta -w 1 -enc '
24            - ' -NoP -NonI -W Hidden -enc '
25            - ' -noP -sta -w 1 -enc'
26            - ' -enc  SQB'
27            - ' -nop -exec bypass -EncodedCommand '
28    condition: selection
29falsepositives:
30    - Other tools that incidentally use the same command line parameters
31level: high

References

Related rules

to-top