mirror of
https://github.com/valitydev/SigmaHQ.git
synced 2024-11-08 02:08:54 +00:00
63 lines
1.6 KiB
YAML
63 lines
1.6 KiB
YAML
title: Suspicious PowerShell Invocations - Specific
|
|
id: fce5f582-cc00-41e1-941a-c6fabf0fdb8c
|
|
status: experimental
|
|
description: Detects suspicious PowerShell invocation command parameters
|
|
tags:
|
|
- attack.execution
|
|
- attack.t1059.001
|
|
- attack.t1086 #an old one
|
|
author: Florian Roth (rule), Jonhnathan Ribeiro
|
|
date: 2017/03/05
|
|
logsource:
|
|
product: windows
|
|
service: powershell
|
|
detection:
|
|
convert_b64:
|
|
Message|contains|all:
|
|
- '-nop'
|
|
- ' -w '
|
|
- 'hidden'
|
|
- ' -c '
|
|
- '[Convert]::FromBase64String'
|
|
iex_selection:
|
|
Message|contains|all:
|
|
- ' -w '
|
|
- 'hidden'
|
|
- '-noni'
|
|
- '-nop'
|
|
- ' -c '
|
|
- 'iex'
|
|
- 'New-Object'
|
|
enc_selection:
|
|
Message|contains|all:
|
|
- ' -w '
|
|
- 'hidden'
|
|
- '-ep'
|
|
- 'bypass'
|
|
- '-Enc'
|
|
reg_selection:
|
|
Message|contains|all:
|
|
- 'powershell'
|
|
- 'reg'
|
|
- 'add'
|
|
- 'HKCU\software\microsoft\windows\currentversion\run'
|
|
webclient_selection:
|
|
Message|contains|all:
|
|
- 'bypass'
|
|
- '-noprofile'
|
|
- '-windowstyle'
|
|
- 'hidden'
|
|
- 'new-object'
|
|
- 'system.net.webclient'
|
|
- '.download'
|
|
iex_webclient:
|
|
Message|contains|all:
|
|
- 'iex'
|
|
- 'New-Object'
|
|
- 'Net.WebClient'
|
|
- '.Download'
|
|
condition: 1 of them
|
|
falsepositives:
|
|
- Penetration tests
|
|
level: high
|