PowerShell Script Run in AppData

 1title: PowerShell Script Run in AppData
 2id: ac175779-025a-4f12-98b0-acdaeb77ea85
 3status: test
 4description: Detects a suspicious command line execution that invokes PowerShell with reference to an AppData folder
 5references:
 6    - https://twitter.com/JohnLaTwC/status/1082851155481288706
 7    - https://app.any.run/tasks/f87f1c4e-47e2-4c46-9cf4-31454c06ce03
 8author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community
 9date: 2019/01/09
10modified: 2022/07/14
11tags:
12    - attack.execution
13    - attack.t1059.001
14logsource:
15    category: process_creation
16    product: windows
17detection:
18    selection1:
19        CommandLine|contains:
20            - 'powershell.exe'
21            - '\powershell'
22            - '\pwsh'
23            - 'pwsh.exe'
24    selection2:
25        CommandLine|contains|all:
26            - '/c '
27            - '\AppData\'
28        CommandLine|contains:
29            - 'Local\'
30            - 'Roaming\'
31    condition: all of selection*
32falsepositives:
33    - Administrative scripts
34level: medium

References

• Something went wrong, but don’t fret — let’s give it another shot.

  
  Read More

• Analysis 2.xls (MD5: 69521ABE0504DE43895B41C34FBC4B43) Malicious activity - Interactive analysis ANY.RUN

  

  Interactive malware hunting service. Live testing of most type of threats in any environments. No installation and no waiting necessary.

  
  Read More

Related rules

• AWS EC2 Startup Shell Script Change
• Execute Code with Pester.bat as Parent
• Execution of Powershell Script in Public Folder
• Invoke-Obfuscation Via Use Rundll32 - PowerShell
• Invoke-Obfuscation Via Use Rundll32 - PowerShell Module