Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionmediumtest

Powershell Inline Execution From A File

Detects inline execution of PowerShell code from a file

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
François HubautCreated Sun Dec 25ee218c12-627a-4d27-9e30-d6fb2fe22ed2windows
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic
Detection Logic3 selectors
detection:
    selection_exec:
        CommandLine|contains:
            - 'iex '
            - 'Invoke-Expression '
            - 'Invoke-Command '
            - 'icm '
    selection_read:
        CommandLine|contains:
            - 'cat '
            - 'get-content '
            - 'type '
    selection_raw:
        CommandLine|contains: ' -raw'
    condition: all of selection_*
False Positives
Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References
1
Resolving title…
speakerdeck.com
MITRE ATT&CK
Rule Metadata
Rule ID
ee218c12-627a-4d27-9e30-d6fb2fe22ed2
Status
test
Level
medium
Type
Detection
Created
Sun Dec 25
Author
François Hubaut
Path
rules/windows/process_creation/proc_creation_win_powershell_exec_data_file.yml
Raw Tags
attack.executionattack.t1059.001
View on GitHub