Detectionhightest

Suspicious PowerShell Invocations - Generic

Detects suspicious PowerShell invocation command parameters

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Florian Roth (Nextron Systems)Created Sun Mar 12Updated Tue Jan 03ed965133-513f-41d9-a441-e38076a0798fwindows

Log Source

WindowsPowerShell Script

ProductWindows← raw: windows

CategoryPowerShell Script← raw: ps_script

Definition

Requirements: Script Block Logging must be enabled

Detection Logic

detection:
    selection_encoded:
        ScriptBlockText|contains:
            - ' -enc '
            - ' -EncodedCommand '
            - ' -ec '
    selection_hidden:
        ScriptBlockText|contains:
            - ' -w hidden '
            - ' -window hidden '
            - ' -windowstyle hidden '
            - ' -w 1 '
    selection_noninteractive:
        ScriptBlockText|contains:
            - ' -noni '
            - ' -noninteractive '
    condition: all of selection*

False Positives

Very special / sneaky PowerShell scripts

References

Resolving title…

Internal Research

MITRE ATT&CK

Tactics

TA0002 · Execution

Sub-techniques

T1059.001 · PowerShell

Related Rules

Derived

3d304fda-78aa-43ed-975c-d740798a49c1

Rule not found

SimilarDetectionhigh

Suspicious PowerShell Invocations - Generic - PowerShell Module

Detects suspicious PowerShell invocation command parameters

Detects similar activity. Both rules may fire on overlapping events.

Rule Metadata

Rule ID

ed965133-513f-41d9-a441-e38076a0798f

Status

test

Level

high

Type

Detection

Created

Sun Mar 12

Modified

Tue Jan 03

Author

Florian Roth (Nextron Systems)

Path

rules/windows/powershell/powershell_script/posh_ps_susp_invocation_generic.yml

Raw Tags

attack.executionattack.t1059.001

View on GitHub