Suspicious PowerShell IEX Execution Patterns

calendar Aug 28, 2023 · attack.execution attack.t1059.001  ·
Share on: linkedin copy

Detects suspicious ways to run Invoke-Execution using IEX alias

Sigma rule (View on GitHub)

 1title: Suspicious PowerShell IEX Execution Patterns
 2id: 09576804-7a05-458e-a817-eb718ca91f54
 3status: experimental
 4description: Detects suspicious ways to run Invoke-Execution using IEX alias
 5references:
 6    - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-expression?view=powershell-7.2
 7author: Florian Roth (Nextron Systems)
 8date: 2022/03/24
 9modified: 2022/11/28
10tags:
11    - attack.execution
12    - attack.t1059.001
13logsource:
14    product: windows
15    category: process_creation
16detection:
17    selection_combined_1:
18        Image|endswith:
19            - '\powershell.exe'
20            - '\pwsh.exe'
21        CommandLine|contains:
22            - ' | iex;'
23            - ' | iex '
24            - ' | iex}'
25            - ' | IEX ;'
26            - ' | IEX -Error'
27            - ' | IEX (new'
28            - ');IEX '
29    selection_combined_2:
30        CommandLine|contains:
31            - '::FromBase64String'
32            - '.GetString([System.Convert]::'
33    selection_standalone:
34        CommandLine|contains:
35            - ')|iex;$'
36            - ');iex($'
37            - ');iex $'
38            - ' | IEX | '
39    condition: all of selection_combined* or selection_standalone
40falsepositives:
41    - Legitimate scripts that use IEX
42level: high

References

  • Invoke-Expression (Microsoft.PowerShell.Utility) - PowerShell

    The Invoke-Expression cmdlet evaluates or runs a specified string as a command and returns the results of the expression or command. Without Invoke-Expression, a string submitted at the command line is returned (echoed) unchanged. Expressions are evaluated and run in the current scope. For more information, see about_Scopes. Caution Take reasonable precautions when using the Invoke-Expression cmdlet in scripts. When using Invoke-Expression to run a command that the user enters, verify that the command is safe to run before running it. In general, it is best to design your script with predefined input options, rather than allowing freeform input.


    Read More

Related rules

to-top