Obfuscated PowerShell OneLiner Execution
Detects the execution of a specific OneLiner to download and execute powershell modules in memory.
Sigma rule (View on GitHub)
1title: Obfuscated PowerShell OneLiner Execution
2id: 44e24481-6202-4c62-9127-5a0ae8e3fe3d
3status: test
4description: Detects the execution of a specific OneLiner to download and execute powershell modules in memory.
5author: '@Kostastsale, @TheDFIRReport'
6references:
7 - https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/
8 - https://gist.github.com/mgeeky/3b11169ab77a7de354f4111aa2f0df38
9date: 2022-05-09
10tags:
11 - attack.defense-evasion
12 - attack.execution
13 - attack.t1059.001
14 - attack.t1562.001
15logsource:
16 product: windows
17 category: process_creation
18detection:
19 selection:
20 Image|endswith: '\powershell.exe'
21 CommandLine|contains|all:
22 - 'http://127.0.0.1'
23 - '%{(IRM $_)}'
24 - '.SubString.ToString()[67,72,64]-Join'
25 - 'Import-Module'
26 condition: selection
27falsepositives:
28 - Unknown
29level: high
References
-
In early February 2022, we witnessed an intrusion employing Gootloader (aka GootKit) as the initial access vector. The intrusion lasted two days and comprised discovery, persistence, lateral moveme…
Read More -
Various Powershell Download Cradles purposed as one-liners - Download-Cradles-Oneliners.md
Read More
Related rules
- AMSI Bypass Pattern Assembly GetType
- ConvertTo-SecureString Cmdlet Usage Via CommandLine
- Detection of PowerShell Execution via Sqlps.exe
- Execute Code with Pester.bat
- Execute Code with Pester.bat as Parent