Phoenix
Sigma IntelligenceBeta
Back to Rules
Threat Huntlowtest

Unusually Long PowerShell CommandLine

Detects unusually long PowerShell command lines with a length of 1000 characters or more

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
oscd.community, Natalia ShornikovaCreated Tue Oct 06Updated Fri Apr 14d0d28567-4b9a-45e2-8bbc-fb1b66a1f7f6windows
Hunting Hypothesis
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic
Detection Logic2 selectors
detection:
    selection_powershell:
        - Image|endswith:
              - '\powershell.exe'
              - '\pwsh.exe'
        - OriginalFileName:
              - 'PowerShell.EXE'
              - 'pwsh.dll'
        - Description: 'Windows Powershell'
        - Product: 'PowerShell Core 6'
    selection_length:
        CommandLine|re: '.{1000,}'
    condition: all of selection_*
False Positives
Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References
1
Resolving title…
speakerdeck.com
MITRE ATT&CK

Other

detection.threat-hunting
Rule Metadata
Rule ID
d0d28567-4b9a-45e2-8bbc-fb1b66a1f7f6
Status
test
Level
low
Type
Threat Hunt
Created
Tue Oct 06
Modified
Fri Apr 14
Author
oscd.community, Natalia Shornikova
Path
rules-threat-hunting/windows/process_creation/proc_creation_win_powershell_abnormal_commandline_size.yml
Raw Tags
attack.executionattack.t1059.001detection.threat-hunting
View on GitHub