Suspicious PowerShell Invocation From Script Engines

calendar Feb 21, 2023 · attack.execution attack.t1059.001  ·
Share on: linkedin copy

Detects suspicious powershell invocations from interpreters or unusual programs

Sigma rule (View on GitHub)

 1title: Suspicious PowerShell Invocation From Script Engines
 2id: 95eadcb2-92e4-4ed1-9031-92547773a6db
 3status: test
 4description: Detects suspicious powershell invocations from interpreters or unusual programs
 5references:
 6    - https://www.securitynewspaper.com/2017/03/20/attackers-leverage-excel-powershell-dns-latest-non-malware-attack/
 7author: Florian Roth (Nextron Systems)
 8date: 2019/01/16
 9modified: 2023/01/05
10tags:
11    - attack.execution
12    - attack.t1059.001
13logsource:
14    category: process_creation
15    product: windows
16detection:
17    selection:
18        ParentImage|endswith:
19            - '\wscript.exe'
20            - '\cscript.exe'
21        Image|endswith:
22            - '\powershell.exe'
23            - '\pwsh.exe'
24    filter_health_service:
25        CurrentDirectory|contains: '\Health Service State\'
26    condition: selection and not 1 of filter_*
27falsepositives:
28    - Microsoft Operations Manager (MOM)
29    - Other scripts
30level: medium

References

Related rules

to-top