SigmaHQ/rules/windows/powershell/powershell_suspicious_invocation_specific.yml

title: Suspicious PowerShell Invocations - Specific
id: fce5f582-cc00-41e1-941a-c6fabf0fdb8c
status: experimental
description: Detects suspicious PowerShell invocation command parameters
tags:
    - attack.execution
    - attack.t1086
    - attack.t1059.001
author: Florian Roth (rule)
date: 2017/03/05
logsource:
    product: windows
    service: powershell
detection:
    keywords:
        Message:
            - '* -nop -w hidden -c * [Convert]::FromBase64String*'
            - '* -w hidden -noni -nop -c "iex(New-Object*'
            - '* -w hidden -ep bypass -Enc*'
            - '*powershell.exe reg add HKCU\software\microsoft\windows\currentversion\run*'
            - '*bypass -noprofile -windowstyle hidden (new-object system.net.webclient).download*'
            - '*iex(New-Object Net.WebClient).Download*'
    condition: keywords
falsepositives:
    - Penetration tests
level: high
Sysmon as 'service' of product 'windows' 2017-03-13 08:23:08 +00:00			`title: Suspicious PowerShell Invocations - Specific`
Added UUIDs to rules 2019-11-12 22:12:27 +00:00			`id: fce5f582-cc00-41e1-941a-c6fabf0fdb8c`
More PowerShell rules 2017-03-05 14:01:51 +00:00			`status: experimental`
			`description: Detects suspicious PowerShell invocation command parameters`
Tagged windows powershell, other and malware rules. 2018-07-24 08:56:41 +00:00			`tags:`
			`- attack.execution`
			`- attack.t1086`
Initial round of subtechnique updates 2020-06-16 20:46:08 +00:00			`- attack.t1059.001`
More PowerShell rules 2017-03-05 14:01:51 +00:00			`author: Florian Roth (rule)`
fix: fixed missing date fields in remaining files 2020-01-30 15:07:37 +00:00			`date: 2017/03/05`
More PowerShell rules 2017-03-05 14:01:51 +00:00			`logsource:`
Bugfix: PowerShell rules log source inconstency 2017-03-21 09:22:13 +00:00			`product: windows`
			`service: powershell`
More PowerShell rules 2017-03-05 14:01:51 +00:00			`detection:`
			`keywords:`
fix: bound keywords to field in multiple PS rules Rules changed: - rules/windows/powershell/powershell_malicious_commandlets.yml - rules/windows/powershell/powershell_malicious_keywords.yml - rules/windows/powershell/powershell_suspicious_download.yml - rules/windows/powershell/powershell_suspicious_invocation_specific.yml 2019-10-29 18:53:18 +00:00			`Message:`
			`- '* -nop -w hidden -c * [Convert]::FromBase64String*'`
			`- '* -w hidden -noni -nop -c "iex(New-Object*'`
			`- '* -w hidden -ep bypass -Enc*'`
			`- 'powershell.exe reg add HKCU\software\microsoft\windows\currentversion\run'`
			`- 'bypass -noprofile -windowstyle hidden (new-object system.net.webclient).download'`
			`- 'iex(New-Object Net.WebClient).Download'`
More PowerShell rules 2017-03-05 14:01:51 +00:00			`condition: keywords`
			`falsepositives:`
			`- Penetration tests`
			`level: high`