Potential Persistence Via Powershell Search Order Hijacking - Task

Detects suspicious powershell execution via a schedule task where the command ends with an suspicious flags to hide the powershell instance instead of executeing scripts or commands. This could be a sign of persistence via PowerShell "Get-Variable" technique as seen being used in Colibri Loader

Sigma rule (View on GitHub)

 1title: Potential Persistence Via Powershell Search Order Hijacking - Task
 2id: b66474aa-bd92-4333-a16c-298155b120df
 3related:
 4    - id: 6e8811ee-90ba-441e-8486-5653e68b2299
 5      type: similar
 6status: test
 7description: Detects suspicious powershell execution via a schedule task where the command ends with an suspicious flags to hide the powershell instance instead of executeing scripts or commands. This could be a sign of persistence via PowerShell "Get-Variable" technique as seen being used in Colibri Loader
 8references:
 9    - https://blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique/
10author: pH-T (Nextron Systems), Florian Roth (Nextron Systems)
11date: 2022/04/08
12modified: 2023/02/03
13tags:
14    - attack.execution
15    - attack.persistence
16    - attack.t1053.005
17    - attack.t1059.001
18logsource:
19    product: windows
20    category: process_creation
21detection:
22    selection:
23        ParentImage: 'C:\WINDOWS\System32\svchost.exe'
24        ParentCommandLine|contains|all:
25            - '-k netsvcs'
26            - '-s Schedule'
27        CommandLine|endswith:
28            - ' -windowstyle hidden'
29            - ' -w hidden'
30            - ' -ep bypass'
31            - ' -noni'
32    condition: selection
33falsepositives:
34    - Unknown
35level: high

References

Related rules

to-top