Suspicious PowerShell Invocation From Script Engines
Detects suspicious powershell invocations from interpreters or unusual programs
Sigma rule (View on GitHub)
1title: Suspicious PowerShell Invocation From Script Engines
2id: 95eadcb2-92e4-4ed1-9031-92547773a6db
3status: test
4description: Detects suspicious powershell invocations from interpreters or unusual programs
5references:
6 - https://www.securitynewspaper.com/2017/03/20/attackers-leverage-excel-powershell-dns-latest-non-malware-attack/
7author: Florian Roth (Nextron Systems)
8date: 2019-01-16
9modified: 2023-01-05
10tags:
11 - attack.execution
12 - attack.t1059.001
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection:
18 ParentImage|endswith:
19 - '\wscript.exe'
20 - '\cscript.exe'
21 Image|endswith:
22 - '\powershell.exe'
23 - '\pwsh.exe'
24 filter_health_service:
25 CurrentDirectory|contains: '\Health Service State\'
26 condition: selection and not 1 of filter_*
27falsepositives:
28 - Microsoft Operations Manager (MOM)
29 - Other scripts
30level: medium
References
-
Attackers Leverage Excel, PowerShell and DNS in Latest Non-Malware Attack - Malware - Information Security Newspaper | Hacking News
Read More
Related rules
- AWS EC2 Startup Shell Script Change
- Alternate PowerShell Hosts - PowerShell Module
- Bad Opsec Powershell Code Artifacts
- BloodHound Collection Files
- Certificate Exported Via PowerShell