SigmaHQ/rules/windows/sysmon/sysmon_powershell_suspicious_parameter_combo.yml

title: Suspicious PowerShell Parameter Combination
status: experimental
description: Detects suspicious PowerShell invocation command parameters
author: Florian Roth
logsource:
    product: sysmon
detection:
    keywords:
        - 'powershell'
        - ' -nop '
        - ' -w hidden '
        - ' -exec bypass '
        - ' -enc ' 
    condition: all of keywords
falsepositives:
    - Penetration tests
    - Very special / sneaky PowerShell scripts
level: high
Sysmon PowerShell - Suspicious Param Combination 2017-03-05 22:51:39 +00:00			`title: Suspicious PowerShell Parameter Combination`
			`status: experimental`
			`description: Detects suspicious PowerShell invocation command parameters`
			`author: Florian Roth`
			`logsource:`
			`product: sysmon`
			`detection:`
			`keywords:`
			`- 'powershell'`
			`- ' -nop '`
			`- ' -w hidden '`
			`- ' -exec bypass '`
			`- ' -enc '`
			`condition: all of keywords`
			`falsepositives:`
			`- Penetration tests`
			`- Very special / sneaky PowerShell scripts`
			`level: high`