Suspicious PowerShell Invocation

2024-11-06 17:35:19 +00:00 · 2017-03-12 17:06:53 +01:00 · 2017-03-12 17:06:53 +01:00 · de689c32b5
commit de689c32b5
parent d6957f1c2e
2 changed files with 22 additions and 0 deletions
--- a/rules/windows/powershell/powershell_suspicious_invocation_generic.yml
+++ b/rules/windows/powershell/powershell_suspicious_invocation_generic.yml
@ -0,0 +1,22 @@
+title: Suspicious PowerShell Invocations - Generic
+status: experimental
+description: Detects suspicious PowerShell invocation command parameters
+author: Florian Roth (rule)
+logsource:
+    platform: windows
+    product: powershell
+detection:
+    encoded:
+        - ' -enc '
+        - ' -EncodedCommand '
+    hidden:
+        - ' -w hidden '
+        - ' -window hidden '
+        - ' - windowstyle hidden '
+    noninteractive:
+        - ' -noni '
+        - ' -noninteractive '
+    condition: encoded and hidden and noninteractive
+falsepositives:
+    - Penetration tests
+level: high
--- a/rules/windows/powershell/powershell_suspicious_invocation_specific.yml
+++ b/rules/windows/powershell/powershell_suspicious_invocation_specific.yml