Suspicious Powershell In Registry Run Keys
Detects potential PowerShell commands or code within registry run keys
Sigma rule (View on GitHub)
1title: Suspicious Powershell In Registry Run Keys
2id: 8d85cf08-bf97-4260-ba49-986a2a65129c
3status: experimental
4description: Detects potential PowerShell commands or code within registry run keys
5references:
6 - https://github.com/frack113/atomic-red-team/blob/a9051c38de8a5320b31c7039efcbd3b56cf2d65a/atomics/T1547.001/T1547.001.md#atomic-test-9---systembc-malware-as-a-service-registry
7 - https://www.trendmicro.com/en_us/research/22/j/lv-ransomware-exploits-proxyshell-in-attack.html
8author: frack113, Florian Roth (Nextron Systems)
9date: 2022/03/17
10modified: 2023/08/17
11tags:
12 - attack.persistence
13 - attack.t1547.001
14logsource:
15 category: registry_set
16 product: windows
17detection:
18 selection:
19 TargetObject|contains: '\Software\Microsoft\Windows\CurrentVersion\Run' # Also covers "RunOnce" and "RunOnceEx"
20 Details|contains:
21 - 'powershell'
22 - 'pwsh '
23 - 'FromBase64String'
24 - '.DownloadFile('
25 - '.DownloadString('
26 - ' -w hidden '
27 - ' -w 1 '
28 - '-windowstyle hidden'
29 - '-window hidden'
30 - ' -nop '
31 - ' -encodedcommand '
32 - '-ExecutionPolicy Bypass'
33 - 'Invoke-Expression'
34 - 'IEX ('
35 - 'Invoke-Command'
36 - 'ICM -'
37 - 'Invoke-WebRequest'
38 - 'IWR '
39 - ' -noni '
40 - ' -noninteractive '
41 condition: selection
42falsepositives:
43 - Legitimate admin or third party scripts. Baseline according to your environment
44level: medium
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - frack113/atomic-red-team
Read More -
Our blog entry provides a look at an attack involving the LV ransomware on a Jordan-based company from an intrusion analysis standpoint
Read More
Related rules
- Classes Autorun Keys Modification
- CurrentControlSet Autorun Keys Modification
- Internet Explorer Autorun Keys Modification
- Modify User Shell Folders Startup Value
- Session Manager Autorun Keys Modification