Potential Encoded PowerShell Patterns In CommandLine
Detects specific combinations of encoding methods in PowerShell via the commandline
Sigma rule (View on GitHub)
1title: Potential Encoded PowerShell Patterns In CommandLine
2id: cdf05894-89e7-4ead-b2b0-0a5f97a90f2f
3related:
4 - id: 5b572dcf-254b-425c-a8c5-d9af6bea35a6
5 type: similar
6status: test
7description: Detects specific combinations of encoding methods in PowerShell via the commandline
8references:
9 - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=65
10author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton
11date: 2020-10-11
12modified: 2023-01-26
13tags:
14 - attack.defense-evasion
15 - attack.t1027
16 - attack.execution
17 - attack.t1059.001
18logsource:
19 category: process_creation
20 product: windows
21detection:
22 selection_img:
23 - Image|endswith:
24 - '\powershell.exe'
25 - '\pwsh.exe'
26 - OriginalFileName:
27 - 'PowerShell.EXE'
28 - 'pwsh.dll'
29 selection_to_1:
30 CommandLine|contains:
31 - 'ToInt'
32 - 'ToDecimal'
33 - 'ToByte'
34 - 'ToUint'
35 - 'ToSingle'
36 - 'ToSByte'
37 selection_to_2:
38 CommandLine|contains:
39 - 'ToChar'
40 - 'ToString'
41 - 'String'
42 selection_gen_1:
43 CommandLine|contains|all:
44 - 'char'
45 - 'join'
46 selection_gen_2:
47 CommandLine|contains|all:
48 - 'split'
49 - 'join'
50 condition: selection_img and (all of selection_to_* or 1 of selection_gen_*)
51falsepositives:
52 - Unknown
53level: low
References
-
PowerShell is the favorit tool of IT guys, who are responsible for administration of Windows infrastructures. It allows them to manage differen services…
Read More
Related rules
- ConvertTo-SecureString Cmdlet Usage Via CommandLine
- Invoke-Obfuscation CLIP+ Launcher
- Invoke-Obfuscation CLIP+ Launcher - PowerShell
- Invoke-Obfuscation CLIP+ Launcher - PowerShell Module
- Invoke-Obfuscation CLIP+ Launcher - Security