Potential Persistence Via Powershell Search Order Hijacking - Task

calendar Oct 23, 2025 · attack.privilege-escalation attack.execution attack.persistence attack.t1053.005 attack.t1059.001  ·
Share on: linkedin copy

Detects suspicious powershell execution via a schedule task where the command ends with an suspicious flags to hide the powershell instance instead of executeing scripts or commands. This could be a sign of persistence via PowerShell "Get-Variable" technique as seen being used in Colibri Loader

Sigma rule (View on GitHub)

 1title: Potential Persistence Via Powershell Search Order Hijacking - Task
 2id: b66474aa-bd92-4333-a16c-298155b120df
 3related:
 4    - id: 6e8811ee-90ba-441e-8486-5653e68b2299
 5      type: similar
 6status: test
 7description: Detects suspicious powershell execution via a schedule task where the command ends with an suspicious flags to hide the powershell instance instead of executeing scripts or commands. This could be a sign of persistence via PowerShell "Get-Variable" technique as seen being used in Colibri Loader
 8references:
 9    - https://blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique/
10author: pH-T (Nextron Systems), Florian Roth (Nextron Systems)
11date: 2022-04-08
12modified: 2023-02-03
13tags:
14    - attack.privilege-escalation
15    - attack.execution
16    - attack.persistence
17    - attack.t1053.005
18    - attack.t1059.001
19logsource:
20    product: windows
21    category: process_creation
22detection:
23    selection:
24        ParentImage: 'C:\WINDOWS\System32\svchost.exe'
25        ParentCommandLine|contains|all:
26            - '-k netsvcs'
27            - '-s Schedule'
28        CommandLine|endswith:
29            - ' -windowstyle hidden'
30            - ' -w hidden'
31            - ' -ep bypass'
32            - ' -noni'
33    condition: selection
34falsepositives:
35    - Unknown
36level: high

References

Related rules

to-top