Run PowerShell Script from Redirected Input Stream
Detects PowerShell script execution via input stream redirect
Sigma rule (View on GitHub)
1title: Run PowerShell Script from Redirected Input Stream
2id: c83bf4b5-cdf0-437c-90fa-43d734f7c476
3status: test
4description: Detects PowerShell script execution via input stream redirect
5references:
6 - https://github.com/LOLBAS-Project/LOLBAS/blob/4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834/yml/LOLUtilz/OSBinaries/Powershell.yml
7 - https://twitter.com/Moriarty_Meng/status/984380793383370752
8author: Moriarty Meng (idea), Anton Kutepov (rule), oscd.community
9date: 2020-10-17
10modified: 2021-11-27
11tags:
12 - attack.defense-evasion
13 - attack.execution
14 - attack.t1059
15logsource:
16 category: process_creation
17 product: windows
18detection:
19 selection:
20 Image|endswith:
21 - '\powershell.exe'
22 - '\pwsh.exe'
23 CommandLine|re: '\s-\s*<'
24 condition: selection
25falsepositives:
26 - Unknown
27level: high
References
Related rules
- Add Insecure Download Source To Winget
- Add New Download Source To Winget
- Install New Package Via Winget Local Manifest
- Payload Decoded and Decrypted via Built-in Utilities
- Potential Arbitrary Command Execution Via FTP.EXE