SigmaHQ/rules/windows/process_creation/win_powershell_suspicious_parameter_variation.yml

title: Suspicious PowerShell Parameter Substring
id: 36210e0d-5b19-485d-a087-c096088885f0
status: experimental
description: Detects suspicious PowerShell invocation with a parameter substring
references:
    - http://www.danielbohannon.com/blog-1/2017/3/12/powershell-execution-argument-obfuscation-how-it-can-make-detection-easier
tags:
    - attack.execution
    - attack.t1086
    - attack.t1059.001
author: Florian Roth (rule), Daniel Bohannon (idea), Roberto Rodriguez (Fix)
date: 2019/01/16
modified: 2020/07/14
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\Powershell.exe'
        CommandLine|contains:
            - ' -windowstyle h '
            - ' -windowstyl h'
            - ' -windowsty h'
            - ' -windowst h'
            - ' -windows h'
            - ' -windo h'
            - ' -wind h'
            - ' -win h'
            - ' -wi h'
            - ' -win h '
            - ' -win hi '
            - ' -win hid '
            - ' -win hidd '
            - ' -win hidde '
            - ' -NoPr '
            - ' -NoPro '
            - ' -NoProf '
            - ' -NoProfi '
            - ' -NoProfil '
            - ' -nonin '
            - ' -nonint '
            - ' -noninte '
            - ' -noninter '
            - ' -nonintera '
            - ' -noninterac '
            - ' -noninteract '
            - ' -noninteracti '
            - ' -noninteractiv '
            - ' -ec '
            - ' -encodedComman '
            - ' -encodedComma '
            - ' -encodedComm '
            - ' -encodedCom '
            - ' -encodedCo '
            - ' -encodedC '
            - ' -encoded '
            - ' -encode '
            - ' -encod '
            - ' -enco '
            - ' -en '
    condition: selection
falsepositives:
    - Penetration tests
level: high
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 22:36:31 +00:00			`title: Suspicious PowerShell Parameter Substring`
Added UUIDs to rules 2019-11-12 22:12:27 +00:00			`id: 36210e0d-5b19-485d-a087-c096088885f0`
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 22:36:31 +00:00			`status: experimental`
			`description: Detects suspicious PowerShell invocation with a parameter substring`
			`references:`
Increased indentation to 4 * Converted (to generic sigma) rules * Converter outputs by default with indentation 4 2019-03-01 23:14:20 +00:00			`- http://www.danielbohannon.com/blog-1/2017/3/12/powershell-execution-argument-obfuscation-how-it-can-make-detection-easier`
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 22:36:31 +00:00			`tags:`
Increased indentation to 4 * Converted (to generic sigma) rules * Converter outputs by default with indentation 4 2019-03-01 23:14:20 +00:00			`- attack.execution`
			`- attack.t1086`
Initial round of subtechnique updates 2020-06-16 20:46:08 +00:00			`- attack.t1059.001`
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 22:36:31 +00:00			`author: Florian Roth (rule), Daniel Bohannon (idea), Roberto Rodriguez (Fix)`
fix: fixed missing date fields in remaining files 2020-01-30 15:07:37 +00:00			`date: 2019/01/16`
fix: issue reported as https://github.com/Neo23x0/sigma/issues/923 2020-07-14 15:59:59 +00:00			`modified: 2020/07/14`
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 22:36:31 +00:00			`logsource:`
Increased indentation to 4 * Converted (to generic sigma) rules * Converter outputs by default with indentation 4 2019-03-01 23:14:20 +00:00			`category: process_creation`
			`product: windows`
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 22:36:31 +00:00			`detection:`
Increased indentation to 4 * Converted (to generic sigma) rules * Converter outputs by default with indentation 4 2019-03-01 23:14:20 +00:00			`selection:`
fix: issue reported as https://github.com/Neo23x0/sigma/issues/923 2020-07-14 15:59:59 +00:00			`Image\|endswith:`
			`- '\Powershell.exe'`
			`CommandLine\|contains:`
Increased indentation to 4 * Converted (to generic sigma) rules * Converter outputs by default with indentation 4 2019-03-01 23:14:20 +00:00			`- ' -windowstyle h '`
			`- ' -windowstyl h'`
			`- ' -windowsty h'`
			`- ' -windowst h'`
			`- ' -windows h'`
			`- ' -windo h'`
			`- ' -wind h'`
			`- ' -win h'`
			`- ' -wi h'`
			`- ' -win h '`
			`- ' -win hi '`
			`- ' -win hid '`
			`- ' -win hidd '`
			`- ' -win hidde '`
			`- ' -NoPr '`
			`- ' -NoPro '`
			`- ' -NoProf '`
			`- ' -NoProfi '`
			`- ' -NoProfil '`
			`- ' -nonin '`
			`- ' -nonint '`
			`- ' -noninte '`
			`- ' -noninter '`
			`- ' -nonintera '`
			`- ' -noninterac '`
			`- ' -noninteract '`
			`- ' -noninteracti '`
			`- ' -noninteractiv '`
			`- ' -ec '`
			`- ' -encodedComman '`
			`- ' -encodedComma '`
			`- ' -encodedComm '`
			`- ' -encodedCom '`
			`- ' -encodedCo '`
			`- ' -encodedC '`
			`- ' -encoded '`
			`- ' -encode '`
			`- ' -encod '`
			`- ' -enco '`
			`- ' -en '`
			`condition: selection`
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 22:36:31 +00:00			`falsepositives:`
Increased indentation to 4 * Converted (to generic sigma) rules * Converter outputs by default with indentation 4 2019-03-01 23:14:20 +00:00			`- Penetration tests`
Converted Sysmon/1 and Security/4688 to generic process creation rules 2019-01-16 22:36:31 +00:00			`level: high`