Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhightest

Suspicious PowerShell Invocations - Specific

Detects suspicious PowerShell invocation command parameters

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Florian Roth (Nextron Systems), Jonhnathan RibeiroCreated Sun Mar 05Updated Mon Feb 17ae7fbf8e-f3cb-49fd-8db4-5f3bed522c71windows
Log Source
WindowsPowerShell Script
ProductWindows← raw: windows
CategoryPowerShell Script← raw: ps_script

Definition

Requirements: Script Block Logging must be enabled

Detection Logic
Detection Logic7 selectors
detection:
    selection_convert_b64:
        ScriptBlockText|contains|all:
            - '-nop'
            - ' -w '
            - 'hidden'
            - ' -c '
            - '[Convert]::FromBase64String'
    selection_iex_selection:
        ScriptBlockText|contains|all:
            - ' -w '
            - 'hidden'
            - '-noni'
            - '-nop'
            - ' -c '
            - 'iex'
            - 'New-Object'
    selection_enc_selection:
        ScriptBlockText|contains|all:
            - ' -w '
            - 'hidden'
            - '-ep'
            - 'bypass'
            - '-Enc'
    selection_reg_selection:
        ScriptBlockText|contains|all:
            - 'powershell'
            - 'reg'
            - 'add'
        ScriptBlockText|contains:
            - '\software\microsoft\windows\currentversion\run'
            - '\software\wow6432node\microsoft\windows\currentversion\run'
            - '\software\microsoft\windows\currentversion\policies\explorer\run'
    selection_webclient_selection:
        ScriptBlockText|contains|all:
            - 'bypass'
            - '-noprofile'
            - '-windowstyle'
            - 'hidden'
            - 'new-object'
            - 'system.net.webclient'
            - '.download'
    selection_iex_webclient:
        ScriptBlockText|contains|all:
            - 'iex'
            - 'New-Object'
            - 'Net.WebClient'
            - '.Download'
    filter_chocolatey:
        ScriptBlockText|contains:
            - "(New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1"
            - "(New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1')"
            - 'Write-ChocolateyWarning'
    condition: 1 of selection_* and not 1 of filter_*
False Positives
Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References
1
Resolving title…
Internal Research
2
Resolving title…
github.com
MITRE ATT&CK
Related Rules
Similar

fce5f582-cc00-41e1-941a-c6fabf0fdb8c

Rule not found
SimilarDetectionhigh

Suspicious PowerShell Invocations - Specific - PowerShell Module

Detects suspicious PowerShell invocation command parameters

Detects similar activity. Both rules may fire on overlapping events.

SimilarDetectionmedium

Suspicious PowerShell Invocations - Specific - ProcessCreation

Detects suspicious PowerShell invocation command parameters

Detects similar activity. Both rules may fire on overlapping events.

Rule Metadata
Rule ID
ae7fbf8e-f3cb-49fd-8db4-5f3bed522c71
Status
test
Level
high
Type
Detection
Created
Sun Mar 05
Modified
Mon Feb 17
Author
Florian Roth (Nextron Systems), Jonhnathan Ribeiro
Path
rules/windows/powershell/powershell_script/posh_ps_susp_invocation_specific.yml
Raw Tags
attack.executionattack.t1059.001
View on GitHub