Suspicious PowerShell Encoded Command Patterns

calendar Feb 12, 2024 · attack.execution attack.t1059.001  ·
Share on: linkedin copy

Detects PowerShell command line patterns in combincation with encoded commands that often appear in malware infection chains

Sigma rule (View on GitHub)

 1title: Suspicious PowerShell Encoded Command Patterns
 2id: b9d9cc83-380b-4ba3-8d8f-60c0e7e2930c
 3status: test
 4description: Detects PowerShell command line patterns in combincation with encoded commands that often appear in malware infection chains
 5references:
 6    - https://app.any.run/tasks/b9040c63-c140-479b-ad59-f1bb56ce7a97/
 7author: Florian Roth (Nextron Systems)
 8date: 2022/05/24
 9modified: 2023/01/05
10tags:
11    - attack.execution
12    - attack.t1059.001
13logsource:
14    category: process_creation
15    product: windows
16detection:
17    selection_img:
18        - Image|endswith:
19              - '\powershell.exe'
20              - '\pwsh.exe'
21        - OriginalFileName:
22              - 'PowerShell.Exe'
23              - 'pwsh.dll'
24    selection_flags:
25        CommandLine|contains:
26            - ' -e '
27            - ' -en '
28            - ' -enc '
29            - ' -enco'
30    selection_encoded:
31        CommandLine|contains:
32            - ' JAB'
33            - ' SUVYI'
34            - ' SQBFAFgA'
35            - ' aWV4I'
36            - ' IAB'
37            - ' PAA'
38            - ' aQBlAHgA'
39    filter_gcworker:
40        ParentImage|contains:
41            - 'C:\Packages\Plugins\Microsoft.GuestConfiguration.ConfigurationforWindows\'
42            - '\gc_worker.exe'
43    condition: all of selection_* and not 1 of filter_*
44falsepositives:
45    - Other tools that work with encoded scripts in the command line instead of script files
46level: high

References

Related rules

to-top