2017-03-13 09:23:08 +01:00
title : Suspicious PowerShell Invocations - Specific
2019-11-12 23:12:27 +01:00
id : fce5f582-cc00-41e1-941a-c6fabf0fdb8c
2017-03-05 15:01:51 +01:00
status : experimental
description : Detects suspicious PowerShell invocation command parameters
2018-07-24 10:56:41 +02:00
tags :
- attack.execution
2020-06-16 14:46:08 -06:00
- attack.t1059.001
2020-08-24 00:01:50 +00:00
- attack.t1086 #an old one
2020-11-20 01:22:20 -03:00
author : Florian Roth (rule), Jonhnathan Ribeiro
2020-01-30 16:07:37 +01:00
date : 2017 /03/05
2017-03-05 15:01:51 +01:00
logsource :
2017-03-21 10:22:13 +01:00
product : windows
service : powershell
2021-08-21 09:50:59 +02:00
definition : Script block logging must be enabled for 4104, Module Logging must be enabled for 4103
2017-03-05 15:01:51 +01:00
detection :
2020-11-20 01:22:20 -03:00
convert_b64 :
2021-08-12 14:03:18 +02:00
- '-nop'
- ' -w '
- 'hidden'
- ' -c '
- '[Convert]::FromBase64String'
2020-11-20 01:22:20 -03:00
iex_selection :
2021-08-12 14:03:18 +02:00
- ' -w '
- 'hidden'
- '-noni'
- '-nop'
- ' -c '
- 'iex'
- 'New-Object'
2020-11-20 01:22:20 -03:00
enc_selection :
2021-08-12 14:03:18 +02:00
- ' -w '
- 'hidden'
- '-ep'
- 'bypass'
- '-Enc'
2020-11-20 01:22:20 -03:00
reg_selection :
2021-08-12 14:03:18 +02:00
- 'powershell'
- 'reg'
- 'add'
- 'HKCU\software\microsoft\windows\currentversion\run'
2020-11-20 01:22:20 -03:00
webclient_selection :
2021-08-12 14:03:18 +02:00
- 'bypass'
- '-noprofile'
- '-windowstyle'
- 'hidden'
- 'new-object'
- 'system.net.webclient'
- '.download'
2020-11-20 01:22:20 -03:00
iex_webclient :
2021-08-12 14:03:18 +02:00
- 'iex'
- 'New-Object'
- 'Net.WebClient'
- '.Download'
condition : all of convert_b64 or all of iex_selection or all of enc_selection or all of reg_selection or all of webclient_selection or all of iex_webclient
2017-03-05 15:01:51 +01:00
falsepositives :
- Penetration tests
level : high
