Suspicious PowerShell Invocations - Specific - ProcessCreation

calendar Aug 12, 2024 · attack.defense-evasion  ·
Share on: linkedin copy

Detects suspicious PowerShell invocation command parameters

Sigma rule (View on GitHub)

 1title: Suspicious PowerShell Invocations - Specific - ProcessCreation
 2id: 536e2947-3729-478c-9903-745aaffe60d2
 3related:
 4    - id: fce5f582-cc00-41e1-941a-c6fabf0fdb8c
 5      type: obsolete
 6    - id: ae7fbf8e-f3cb-49fd-8db4-5f3bed522c71
 7      type: similar
 8    - id: 8ff28fdd-e2fa-4dfa-aeda-ef3d61c62090
 9      type: similar
10status: test
11description: Detects suspicious PowerShell invocation command parameters
12references:
13    - Internal Research
14author: Nasreddine Bencherchali (Nextron Systems)
15date: 2023-01-05
16tags:
17    - attack.defense-evasion
18logsource:
19    category: process_creation
20    product: windows
21detection:
22    selection_convert_b64:
23        CommandLine|contains|all:
24            - '-nop'
25            - ' -w '
26            - 'hidden'
27            - ' -c '
28            - '[Convert]::FromBase64String'
29    selection_iex:
30        CommandLine|contains|all:
31            - ' -w '
32            - 'hidden'
33            - '-noni'
34            - '-nop'
35            - ' -c '
36            - 'iex'
37            - 'New-Object'
38    selection_enc:
39        CommandLine|contains|all:
40            - ' -w '
41            - 'hidden'
42            - '-ep'
43            - 'bypass'
44            - '-Enc'
45    selection_reg:
46        CommandLine|contains|all:
47            - 'powershell'
48            - 'reg'
49            - 'add'
50            - '\software\'
51    selection_webclient:
52        CommandLine|contains|all:
53            - 'bypass'
54            - '-noprofile'
55            - '-windowstyle'
56            - 'hidden'
57            - 'new-object'
58            - 'system.net.webclient'
59            - '.download'
60    selection_iex_webclient:
61        CommandLine|contains|all:
62            - 'iex'
63            - 'New-Object'
64            - 'Net.WebClient'
65            - '.Download'
66    filter_chocolatey:
67        CommandLine|contains:
68            - "(New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1"
69            - 'Write-ChocolateyWarning'
70    condition: 1 of selection_* and not 1 of filter_*
71falsepositives:
72    - Unknown
73level: medium

References

Related rules

to-top