title: Suspicious PowerShell Parameter Substring
status: experimental
description: Detects suspicious PowerShell invocation with a parameter substring
references:
    - http://www.danielbohannon.com/blog-1/2017/3/12/powershell-execution-argument-obfuscation-how-it-can-make-detection-easier
author: Florian Roth (rule), Daniel Bohannon (idea)
logsource:
    product: windows
    service: sysmon
detection:
    keywords:
        Image: '*\powershell.exe'
    substrings:
        - ' -windowstyle h '
        - ' -windowstyl h'
        - ' -windowsty h'
        - ' -windowst h'
        - ' -windows h'
        - ' -windo h'
        - ' -wind h'
        - ' -win h'
        - ' -wi h'
        - ' -win h '
        - ' -win hi '
        - ' -win hid '
        - ' -win hidd '
        - ' -win hidde '
        - ' -NoPr '
        - ' -NoPro '
        - ' -NoProf '
        - ' -NoProfi '
        - ' -NoProfil ' 
        - ' -nonin '
        - ' -nonint '
        - ' -noninte '
        - ' -noninter '
        - ' -nonintera '
        - ' -noninterac '
        - ' -noninteract '
        - ' -noninteracti '
        - ' -noninteractiv '
        - ' -ec '
        - ' -encodedComman '
        - ' -encodedComma '
        - ' -encodedComm '
        - ' -encodedCom '
        - ' -encodedCo '
        - ' -encodedC '
        - ' -encoded '
        - ' -encode '
        - ' -encod '
        - ' -enco '
        - ' -en '
    condition: keywords and substrings
falsepositives:
    - Penetration tests
level: high