SigmaHQ/rules/windows/powershell/powershell_suspicious_invocation_specific.yml
2020-11-20 01:22:20 -03:00

63 lines
1.6 KiB
YAML

title: Suspicious PowerShell Invocations - Specific
id: fce5f582-cc00-41e1-941a-c6fabf0fdb8c
status: experimental
description: Detects suspicious PowerShell invocation command parameters
tags:
- attack.execution
- attack.t1059.001
- attack.t1086 #an old one
author: Florian Roth (rule), Jonhnathan Ribeiro
date: 2017/03/05
logsource:
product: windows
service: powershell
detection:
convert_b64:
Message|contains|all:
- '-nop'
- ' -w '
- 'hidden'
- ' -c '
- '[Convert]::FromBase64String'
iex_selection:
Message|contains|all:
- ' -w '
- 'hidden'
- '-noni'
- '-nop'
- ' -c '
- 'iex'
- 'New-Object'
enc_selection:
Message|contains|all:
- ' -w '
- 'hidden'
- '-ep'
- 'bypass'
- '-Enc'
reg_selection:
Message|contains|all:
- 'powershell'
- 'reg'
- 'add'
- 'HKCU\software\microsoft\windows\currentversion\run'
webclient_selection:
Message|contains|all:
- 'bypass'
- '-noprofile'
- '-windowstyle'
- 'hidden'
- 'new-object'
- 'system.net.webclient'
- '.download'
iex_webclient:
Message|contains|all:
- 'iex'
- 'New-Object'
- 'Net.WebClient'
- '.Download'
condition: 1 of them
falsepositives:
- Penetration tests
level: high