HackTool - Empire PowerShell Launch Parameters
Detects suspicious powershell command line parameters used in Empire
Sigma rule (View on GitHub)
1title: HackTool - Empire PowerShell Launch Parameters
2id: 79f4ede3-402e-41c8-bc3e-ebbf5f162581
3status: test
4description: Detects suspicious powershell command line parameters used in Empire
5references:
6 - https://github.com/EmpireProject/Empire/blob/c2ba61ca8d2031dad0cfc1d5770ba723e8b710db/lib/common/helpers.py#L165
7 - https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/deaduser.py#L191
8 - https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/resolver.py#L178
9 - https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64
10author: Florian Roth (Nextron Systems)
11date: 2019/04/20
12modified: 2023/02/21
13tags:
14 - attack.execution
15 - attack.t1059.001
16logsource:
17 category: process_creation
18 product: windows
19detection:
20 selection:
21 CommandLine|contains:
22 - ' -NoP -sta -NonI -W Hidden -Enc '
23 - ' -noP -sta -w 1 -enc '
24 - ' -NoP -NonI -W Hidden -enc '
25 - ' -noP -sta -w 1 -enc'
26 - ' -enc SQB'
27 - ' -nop -exec bypass -EncodedCommand '
28 condition: selection
29falsepositives:
30 - Other tools that incidentally use the same command line parameters
31level: high
References
Related rules
- HackTool - Covenant PowerShell Launcher
- Hidden Powershell in Link File Pattern
- Potential PowerShell Obfuscation Via WCHAR
- PowerShell DownloadFile
- Suspicious PowerShell Invocation From Script Engines