Detectionhightest

Suspicious PowerShell Invocations - Generic - PowerShell Module

Detects suspicious PowerShell invocation command parameters

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Florian Roth (Nextron Systems)Created Sun Mar 12Updated Tue Jan 03bbb80e91-5746-4fbe-8898-122e2cafdbf4windows

Log Source

WindowsPowerShell Module

ProductWindows← raw: windows

CategoryPowerShell Module← raw: ps_module

Definition

0ad03ef1-f21b-4a79-8ce8-e6900c54b65b

Detection Logic

detection:
    selection_encoded:
        ContextInfo|contains:
            - ' -enc '
            - ' -EncodedCommand '
            - ' -ec '
    selection_hidden:
        ContextInfo|contains:
            - ' -w hidden '
            - ' -window hidden '
            - ' -windowstyle hidden '
            - ' -w 1 '
    selection_noninteractive:
        ContextInfo|contains:
            - ' -noni '
            - ' -noninteractive '
    condition: all of selection*

False Positives

Very special / sneaky PowerShell scripts

References

Resolving title…

Internal Research

MITRE ATT&CK

Tactics

TA0002 · Execution

Sub-techniques

T1059.001 · PowerShell

Related Rules

Derived

3d304fda-78aa-43ed-975c-d740798a49c1

Rule not found

SimilarDetectionhigh

Suspicious PowerShell Invocations - Generic

Detects suspicious PowerShell invocation command parameters

Detects similar activity. Both rules may fire on overlapping events.

Rule Metadata

Rule ID

bbb80e91-5746-4fbe-8898-122e2cafdbf4

Status

test

Level

high

Type

Detection

Created

Sun Mar 12

Modified

Tue Jan 03

Author

Florian Roth (Nextron Systems)

Path

rules/windows/powershell/powershell_module/posh_pm_susp_invocation_generic.yml

Raw Tags

attack.executionattack.t1059.001

View on GitHub