Powershell Inline Execution From A File

Aug 12, 2024 · attack.execution attack.t1059.001 ·

Detects inline execution of PowerShell code from a file

Sigma rule (View on GitHub)

 1title: Powershell Inline Execution From A File
 2id: ee218c12-627a-4d27-9e30-d6fb2fe22ed2
 3status: test
 4description: Detects inline execution of PowerShell code from a file
 5references:
 6    - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=50
 7author: frack113
 8date: 2022-12-25
 9tags:
10    - attack.execution
11    - attack.t1059.001
12logsource:
13    product: windows
14    category: process_creation
15detection:
16    selection_exec:
17        CommandLine|contains:
18            - 'iex '
19            - 'Invoke-Expression '
20            - 'Invoke-Command '
21            - 'icm '
22    selection_read:
23        CommandLine|contains:
24            - 'cat '
25            - 'get-content '
26            - 'type '
27    selection_raw:
28        CommandLine|contains: ' -raw'
29    condition: all of selection_*
30falsepositives:
31    - Unknown
32level: medium

References

Hunting for PowerShell Abuse

PowerShell is the favorit tool of IT guys, who are responsible for administration of Windows infrastructures. It allows them to manage differen services…

Read More

Powershell Inline Execution From A File

Sigma rule (View on GitHub)

References

Hunting for PowerShell Abuse

Related rules