Suspicious PowerShell IEX Execution Patterns

 1title: Suspicious PowerShell IEX Execution Patterns
 2id: 09576804-7a05-458e-a817-eb718ca91f54
 3status: test
 4description: Detects suspicious ways to run Invoke-Execution using IEX alias
 5references:
 6    - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-expression?view=powershell-7.2
 7    - https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708
 8author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
 9date: 2022/03/24
10modified: 2022/11/28
11tags:
12    - attack.execution
13    - attack.t1059.001
14logsource:
15    product: windows
16    category: process_creation
17detection:
18    selection_combined_1:
19        Image|endswith:
20            - '\powershell.exe'
21            - '\pwsh.exe'
22        CommandLine|contains:
23            - ' | iex;'
24            - ' | iex '
25            - ' | iex}'
26            - ' | IEX ;'
27            - ' | IEX -Error'
28            - ' | IEX (new'
29            - ');IEX '
30    selection_combined_2:
31        CommandLine|contains:
32            - '::FromBase64String'
33            - '.GetString([System.Convert]::'
34    selection_standalone:
35        CommandLine|contains:
36            - ')|iex;$'
37            - ');iex($'
38            - ');iex $'
39            - ' | IEX | '
40            - ' | iex\"'
41    condition: all of selection_combined_* or selection_standalone
42falsepositives:
43    - Legitimate scripts that use IEX
44level: high

References

• Invoke-Expression (Microsoft.PowerShell.Utility) - PowerShell

  

  The Invoke-Expression cmdlet evaluates or runs a specified string as a command and returns the results of the expression or command. Without Invoke-Expression, a string submitted at the command line is returned (echoed) unchanged. Expressions are evaluated and run in the current scope. For more information, see about_Scopes. Caution Take reasonable precautions when using the Invoke-Expression cmdlet in scripts. When using Invoke-Expression to run a command that the user enters, verify that the command is safe to run before running it. In general, it is best to design your script with predefined input options, rather than allowing freeform input.

  
  Read More

• SlashAndGrab: ScreenConnect Post-Exploitation in the Wild (CVE-2024-1709 & CVE-2024-1708)

  

  Adversaries have been VERY busy in the wake of the ScreenConnect vulnerabilities (CVE-2024-1709 & CVE-2024-1708). Here’s all the post-exploitation details, tradecraft, and tactics we’ve observed so far!

  
  Read More

Related rules

• Custom Cobalt Strike Command Execution
• Malicious Base64 Encoded PowerShell Keywords in Command Lines
• Potential Remote PowerShell Session Initiated
• Suspicious PowerShell Encoded Command Patterns
• BloodHound Collection Files