Run PowerShell Script from Redirected Input Stream

 1title: Run PowerShell Script from Redirected Input Stream
 2id: c83bf4b5-cdf0-437c-90fa-43d734f7c476
 3status: test
 4description: Detects PowerShell script execution via input stream redirect
 5references:
 6    - https://github.com/LOLBAS-Project/LOLBAS/blob/4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834/yml/LOLUtilz/OSBinaries/Powershell.yml
 7    - https://twitter.com/Moriarty_Meng/status/984380793383370752
 8author: Moriarty Meng (idea), Anton Kutepov (rule), oscd.community
 9date: 2020/10/17
10modified: 2021/11/27
11tags:
12    - attack.defense_evasion
13    - attack.execution
14    - attack.t1059
15logsource:
16    category: process_creation
17    product: windows
18detection:
19    selection:
20        Image|endswith:
21            - '\powershell.exe'
22            - '\pwsh.exe'
23        CommandLine|re: '\s-\s*<'
24    condition: selection
25falsepositives:
26    - Unknown
27level: high

References

• LOLBAS/yml/LOLUtilz/OSBinaries/Powershell.yml at 4db780e0f0b2e2bb8cb1fa13e09196da9b9f1834 · LOLBAS-Project/LOLBAS

  

  Living Off The Land Binaries And Scripts - (LOLBins and LOLScripts) - LOLBAS-Project/LOLBAS

  
  Read More

• Something went wrong, but don’t fret — let’s give it another shot.

  
  Read More

Related rules

• Flash Player Update from Suspicious Location
• Hacktool Ruler
• NTFS Alternate Data Stream
• Potential PowerShell Downgrade Attack
• WinDbg/CDB LOLBIN Usage