SigmaHQ/rules/windows/powershell/powershell_suspicious_invocation_generic.yml

title: Suspicious PowerShell Invocations - Generic
status: experimental
description: Detects suspicious PowerShell invocation command parameters
tags:
    - attack.execution
    - attack.t1086
author: Florian Roth (rule)
logsource:
    product: windows
    service: powershell
detection:
    encoded:
        - ' -enc '
        - ' -EncodedCommand '
    hidden:
        - ' -w hidden '
        - ' -window hidden '
        - ' - windowstyle hidden '
    noninteractive:
        - ' -noni '
        - ' -noninteractive '
    condition: all of them
falsepositives:
    - Penetration tests
    - Very special / sneaky PowerShell scripts
level: high
Suspicious PowerShell Invocation 2017-03-12 16:06:53 +00:00			`title: Suspicious PowerShell Invocations - Generic`
			`status: experimental`
			`description: Detects suspicious PowerShell invocation command parameters`
Tagged windows powershell, other and malware rules. 2018-07-24 08:56:41 +00:00			`tags:`
			`- attack.execution`
			`- attack.t1086`
Suspicious PowerShell Invocation 2017-03-12 16:06:53 +00:00			`author: Florian Roth (rule)`
			`logsource:`
Bugfix: PowerShell rules log source inconstency 2017-03-21 09:22:13 +00:00			`product: windows`
			`service: powershell`
Suspicious PowerShell Invocation 2017-03-12 16:06:53 +00:00			`detection:`
			`encoded:`
			`- ' -enc '`
			`- ' -EncodedCommand '`
			`hidden:`
			`- ' -w hidden '`
			`- ' -window hidden '`
			`- ' - windowstyle hidden '`
			`noninteractive:`
			`- ' -noni '`
			`- ' -noninteractive '`
Simplified rule conditions with new condition constructs 2018-03-06 22:14:43 +00:00			`condition: all of them`
Suspicious PowerShell Invocation 2017-03-12 16:06:53 +00:00			`falsepositives:`
			`- Penetration tests`
Merged similar rules 2018-03-06 22:19:11 +00:00			`- Very special / sneaky PowerShell scripts`
Suspicious PowerShell Invocation 2017-03-12 16:06:53 +00:00			`level: high`
Sysmon as 'service' of product 'windows' 2017-03-13 08:23:08 +00:00