Potential PowerShell Command Line Obfuscation

calendar Apr 15, 2024 · attack.execution attack.defense_evasion attack.t1027 attack.t1059.001  ·
Share on: linkedin copy

Detects the PowerShell command lines with special characters

Sigma rule (View on GitHub)

 1title: Potential PowerShell Command Line Obfuscation
 2id: d7bcd677-645d-4691-a8d4-7a5602b780d1
 3status: test
 4description: Detects the PowerShell command lines with special characters
 5references:
 6    - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=64
 7author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp)
 8date: 2020/10/15
 9modified: 2024/04/15
10tags:
11    - attack.execution
12    - attack.defense_evasion
13    - attack.t1027
14    - attack.t1059.001
15logsource:
16    category: process_creation
17    product: windows
18detection:
19    selection_img:
20        - Image|endswith:
21              - '\powershell.exe'
22              - '\pwsh.exe'
23        - OriginalFileName:
24              - 'PowerShell.EXE'
25              - 'pwsh.dll'
26    selection_re:
27        # TODO: Optimize for PySIGMA
28        - CommandLine|re: '\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+'
29        - CommandLine|re: '\{.*\{.*\{.*\{.*\{.*\{.*\{.*\{.*\{.*\{'
30        - CommandLine|re: '\^.*\^.*\^.*\^.*\^'
31        - CommandLine|re: '`.*`.*`.*`.*`'
32    filter_optional_amazonSSM:
33        ParentImage: C:\Program Files\Amazon\SSM\ssm-document-worker.exe
34    filter_optional_defender_atp:
35        CommandLine|contains:
36            - 'new EventSource("Microsoft.Windows.Sense.Client.Management"'
37            - 'public static extern bool InstallELAMCertificateInfo(SafeFileHandle handle);'
38    condition: all of selection_* and not 1 of filter_optional_*
39falsepositives:
40    - Amazon SSM Document Worker
41    - Windows Defender ATP
42level: high

References

  • Hunting for PowerShell Abuse

    PowerShell is the favorit tool of IT guys, who are responsible for administration of Windows infrastructures. It allows them to manage differen services of the operating system and automate almost anything. But along with administrators, PowerShell also is liked by attackers and malware authors. The reason PowerShell is so attractive for adversaries is quite obvious: it has been included in essentially every Windows operating system by default for a decade, provides access to Windows API, and is rarely constrained, thus allowing adversaries to perform different tasks without risking being blocked. ttackers can use PowerShell to direct the execution of a local script, retrieve and execute remote resources using various network protocols, encode payloads passed via the command line, or load PowerShell into other processes. Because of so prevalence of PowerShell among adversaries for Threat Hunters it is very important to be able to detect malicious uses of PowerShell and defend against it. In the presentation author is going to demostrate an approaches for detection of PowerShell abuses based on different event sources like native Windows logging capabilities as well as usage of additional tools, like Sysmon or EDR solutions. How to collect traces of using PowerShell, how to filter out false positives, and how to find evidence of malicious uses among the remaining after filtering volume of events — all these questions will be answered in the talk for present and future threat hunters.


    Read More

Related rules

to-top