SigmaHQ/rules/windows/powershell/powershell_suspicious_invocation_specific.yml

title: Suspicious PowerShell Invocations - Specific
status: experimental
description: Detects suspicious PowerShell invocation command parameters
author: Florian Roth (rule)
logsource:
    platform: windows
    product: powershell
detection:
    keywords:
        - ' -nop -w hidden -c * [Convert]::FromBase64String'
        - ' -w hidden -noni -nop -c "iex(New-Object'
        - ' -w hidden -ep bypass -Enc'
        - 'powershell.exe reg add HKCU\software\microsoft\windows\currentversion\run'
        - 'bypass -noprofile -windowstyle hidden (new-object system.net.webclient).download'
        - 'iex(New-Object Net.WebClient).Download'
    condition: keywords
falsepositives:
    - Penetration tests
level: high
Sysmon as 'service' of product 'windows' 2017-03-13 08:23:08 +00:00			`title: Suspicious PowerShell Invocations - Specific`
More PowerShell rules 2017-03-05 14:01:51 +00:00			`status: experimental`
			`description: Detects suspicious PowerShell invocation command parameters`
			`author: Florian Roth (rule)`
			`logsource:`
			`platform: windows`
			`product: powershell`
			`detection:`
			`keywords:`
			`- ' -nop -w hidden -c * [Convert]::FromBase64String'`
			`- ' -w hidden -noni -nop -c "iex(New-Object'`
			`- ' -w hidden -ep bypass -Enc'`
			`- 'powershell.exe reg add HKCU\software\microsoft\windows\currentversion\run'`
			`- 'bypass -noprofile -windowstyle hidden (new-object system.net.webclient).download'`
Added expression 2017-03-05 21:45:54 +00:00			`- 'iex(New-Object Net.WebClient).Download'`
More PowerShell rules 2017-03-05 14:01:51 +00:00			`condition: keywords`
			`falsepositives:`
			`- Penetration tests`
			`level: high`