Suspicious PowerShell Invocations - Specific - ProcessCreation
Detects suspicious PowerShell invocation command parameters
Sigma rule (View on GitHub)
1title: Suspicious PowerShell Invocations - Specific - ProcessCreation
2id: 536e2947-3729-478c-9903-745aaffe60d2
3related:
4 - id: fce5f582-cc00-41e1-941a-c6fabf0fdb8c
5 type: derived
6 - id: ae7fbf8e-f3cb-49fd-8db4-5f3bed522c71
7 type: similar
8 - id: 8ff28fdd-e2fa-4dfa-aeda-ef3d61c62090
9 type: similar
10status: test
11description: Detects suspicious PowerShell invocation command parameters
12author: Nasreddine Bencherchali (Nextron Systems)
13date: 2023/01/05
14tags:
15 - attack.defense_evasion
16logsource:
17 category: process_creation
18 product: windows
19detection:
20 selection_convert_b64:
21 CommandLine|contains|all:
22 - '-nop'
23 - ' -w '
24 - 'hidden'
25 - ' -c '
26 - '[Convert]::FromBase64String'
27 selection_iex:
28 CommandLine|contains|all:
29 - ' -w '
30 - 'hidden'
31 - '-noni'
32 - '-nop'
33 - ' -c '
34 - 'iex'
35 - 'New-Object'
36 selection_enc:
37 CommandLine|contains|all:
38 - ' -w '
39 - 'hidden'
40 - '-ep'
41 - 'bypass'
42 - '-Enc'
43 selection_reg:
44 CommandLine|contains|all:
45 - 'powershell'
46 - 'reg'
47 - 'add'
48 - '\software\'
49 selection_webclient:
50 CommandLine|contains|all:
51 - 'bypass'
52 - '-noprofile'
53 - '-windowstyle'
54 - 'hidden'
55 - 'new-object'
56 - 'system.net.webclient'
57 - '.download'
58 selection_iex_webclient:
59 CommandLine|contains|all:
60 - 'iex'
61 - 'New-Object'
62 - 'Net.WebClient'
63 - '.Download'
64 filter_chocolatey:
65 CommandLine|contains:
66 - "(New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1"
67 - 'Write-ChocolateyWarning'
68 condition: 1 of selection_* and not 1 of filter_*
69falsepositives:
70 - Unknown
71level: medium
Related rules
- AgentExecutor PowerShell Execution
- Change User Account Associated with the FAX Service
- Change the Fax Dll
- Exchange PowerShell Cmdlet History Deleted
- ImagingDevices Unusual Parent/Child Processes