Suspicious PowerShell Invocations - Specific - ProcessCreation
Detects suspicious PowerShell invocation command parameters
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.
detection:
selection_convert_b64:
CommandLine|contains|all:
- '-nop'
- ' -w '
- 'hidden'
- ' -c '
- '[Convert]::FromBase64String'
selection_iex:
CommandLine|contains|all:
- ' -w '
- 'hidden'
- '-noni'
- '-nop'
- ' -c '
- 'iex'
- 'New-Object'
selection_enc:
CommandLine|contains|all:
- ' -w '
- 'hidden'
- '-ep'
- 'bypass'
- '-Enc'
selection_reg:
CommandLine|contains|all:
- 'powershell'
- 'reg'
- 'add'
- '\software\'
selection_webclient:
CommandLine|contains|all:
- 'bypass'
- '-noprofile'
- '-windowstyle'
- 'hidden'
- 'new-object'
- 'system.net.webclient'
- '.download'
selection_iex_webclient:
CommandLine|contains|all:
- 'iex'
- 'New-Object'
- 'Net.WebClient'
- '.Download'
filter_chocolatey:
CommandLine|contains:
- "(New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1"
- 'Write-ChocolateyWarning'
condition: 1 of selection_* and not 1 of filter_*False positive likelihood has not been assessed. Additional context may be needed during triage.
Tactics
fce5f582-cc00-41e1-941a-c6fabf0fdb8c
Suspicious PowerShell Invocations - Specific
Detects suspicious PowerShell invocation command parameters
Detects similar activity. Both rules may fire on overlapping events.
Suspicious PowerShell Invocations - Specific - PowerShell Module
Detects suspicious PowerShell invocation command parameters
Detects similar activity. Both rules may fire on overlapping events.