Suspicious PowerShell Invocations - Specific - ProcessCreation
Detects suspicious PowerShell invocation command parameters
Sigma rule (View on GitHub)
1title: Suspicious PowerShell Invocations - Specific - ProcessCreation
2id: 536e2947-3729-478c-9903-745aaffe60d2
3related:
4 - id: fce5f582-cc00-41e1-941a-c6fabf0fdb8c
5 type: obsoletes
6 - id: ae7fbf8e-f3cb-49fd-8db4-5f3bed522c71
7 type: similar
8 - id: 8ff28fdd-e2fa-4dfa-aeda-ef3d61c62090
9 type: similar
10status: test
11description: Detects suspicious PowerShell invocation command parameters
12references:
13 - Internal Research
14author: Nasreddine Bencherchali (Nextron Systems)
15date: 2023/01/05
16tags:
17 - attack.defense_evasion
18logsource:
19 category: process_creation
20 product: windows
21detection:
22 selection_convert_b64:
23 CommandLine|contains|all:
24 - '-nop'
25 - ' -w '
26 - 'hidden'
27 - ' -c '
28 - '[Convert]::FromBase64String'
29 selection_iex:
30 CommandLine|contains|all:
31 - ' -w '
32 - 'hidden'
33 - '-noni'
34 - '-nop'
35 - ' -c '
36 - 'iex'
37 - 'New-Object'
38 selection_enc:
39 CommandLine|contains|all:
40 - ' -w '
41 - 'hidden'
42 - '-ep'
43 - 'bypass'
44 - '-Enc'
45 selection_reg:
46 CommandLine|contains|all:
47 - 'powershell'
48 - 'reg'
49 - 'add'
50 - '\software\'
51 selection_webclient:
52 CommandLine|contains|all:
53 - 'bypass'
54 - '-noprofile'
55 - '-windowstyle'
56 - 'hidden'
57 - 'new-object'
58 - 'system.net.webclient'
59 - '.download'
60 selection_iex_webclient:
61 CommandLine|contains|all:
62 - 'iex'
63 - 'New-Object'
64 - 'Net.WebClient'
65 - '.Download'
66 filter_chocolatey:
67 CommandLine|contains:
68 - "(New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1"
69 - 'Write-ChocolateyWarning'
70 condition: 1 of selection_* and not 1 of filter_*
71falsepositives:
72 - Unknown
73level: medium
References
Related rules
- AWS Config Disabling Channel/Recorder
- Bitsadmin to Uncommon IP Server Address
- Cisco Clear Logs
- Cisco Crypto Commands
- Cisco Disabling Logging