Suspicious PowerShell Parameter Substring
Detects suspicious PowerShell invocation with a parameter substring
Sigma rule (View on GitHub)
1title: Suspicious PowerShell Parameter Substring
2id: 36210e0d-5b19-485d-a087-c096088885f0
3status: test
4description: Detects suspicious PowerShell invocation with a parameter substring
5references:
6 - http://www.danielbohannon.com/blog-1/2017/3/12/powershell-execution-argument-obfuscation-how-it-can-make-detection-easier
7author: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix)
8date: 2019/01/16
9modified: 2022/07/14
10tags:
11 - attack.execution
12 - attack.t1059.001
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection:
18 Image|endswith:
19 - '\powershell.exe'
20 - '\pwsh.exe'
21 CommandLine|contains:
22 - ' -windowstyle h '
23 - ' -windowstyl h'
24 - ' -windowsty h'
25 - ' -windowst h'
26 - ' -windows h'
27 - ' -windo h'
28 - ' -wind h'
29 - ' -win h'
30 - ' -wi h'
31 - ' -win h '
32 - ' -win hi '
33 - ' -win hid '
34 - ' -win hidd '
35 - ' -win hidde '
36 - ' -NoPr '
37 - ' -NoPro '
38 - ' -NoProf '
39 - ' -NoProfi '
40 - ' -NoProfil '
41 - ' -nonin '
42 - ' -nonint '
43 - ' -noninte '
44 - ' -noninter '
45 - ' -nonintera '
46 - ' -noninterac '
47 - ' -noninteract '
48 - ' -noninteracti '
49 - ' -noninteractiv '
50 - ' -ec '
51 - ' -encodedComman '
52 - ' -encodedComma '
53 - ' -encodedComm '
54 - ' -encodedCom '
55 - ' -encodedCo '
56 - ' -encodedC '
57 - ' -encoded '
58 - ' -encode '
59 - ' -encod '
60 - ' -enco '
61 - ' -en '
62 - ' -executionpolic '
63 - ' -executionpoli '
64 - ' -executionpol '
65 - ' -executionpo '
66 - ' -executionp '
67 - ' -execution bypass'
68 - ' -executio bypass'
69 - ' -executi bypass'
70 - ' -execut bypass'
71 - ' -execu bypass'
72 - ' -exec bypass'
73 - ' -exe bypass'
74 - ' -ex bypass'
75 - ' -ep bypass'
76 - ' /windowstyle h '
77 - ' /windowstyl h'
78 - ' /windowsty h'
79 - ' /windowst h'
80 - ' /windows h'
81 - ' /windo h'
82 - ' /wind h'
83 - ' /win h'
84 - ' /wi h'
85 - ' /win h '
86 - ' /win hi '
87 - ' /win hid '
88 - ' /win hidd '
89 - ' /win hidde '
90 - ' /NoPr '
91 - ' /NoPro '
92 - ' /NoProf '
93 - ' /NoProfi '
94 - ' /NoProfil '
95 - ' /nonin '
96 - ' /nonint '
97 - ' /noninte '
98 - ' /noninter '
99 - ' /nonintera '
100 - ' /noninterac '
101 - ' /noninteract '
102 - ' /noninteracti '
103 - ' /noninteractiv '
104 - ' /ec '
105 - ' /encodedComman '
106 - ' /encodedComma '
107 - ' /encodedComm '
108 - ' /encodedCom '
109 - ' /encodedCo '
110 - ' /encodedC '
111 - ' /encoded '
112 - ' /encode '
113 - ' /encod '
114 - ' /enco '
115 - ' /en '
116 - ' /executionpolic '
117 - ' /executionpoli '
118 - ' /executionpol '
119 - ' /executionpo '
120 - ' /executionp '
121 - ' /execution bypass'
122 - ' /executio bypass'
123 - ' /executi bypass'
124 - ' /execut bypass'
125 - ' /execu bypass'
126 - ' /exec bypass'
127 - ' /exe bypass'
128 - ' /ex bypass'
129 - ' /ep bypass'
130 condition: selection
131falsepositives:
132 - Unknown
133level: high
References
-
The reason is that good attackers do not remain complacent. If you look at the Github history for Unicorn , an awesome tool from Dave Kennedy ( @HackingDave ), then you will see that he has changed the syntax of the tool's execution arguments several times as defenders have updated their signatures
Read More
Related rules
- PowerShell Credential Prompt
- PowerShell PSAttack
- Scheduled task executing powershell encoded payload from registry
- NTFS Alternate Data Stream
- Potential PowerShell Downgrade Attack