rules/windows/powershell/powershell_suspicious_invocation_specific.yml

title: Suspicious PowerShell Invocations - Specific
id: fce5f582-cc00-41e1-941a-c6fabf0fdb8c
status: experimental
description: Detects suspicious PowerShell invocation command parameters
tags:
    - attack.execution
    - attack.t1059.001
    - attack.t1086  #an old one
author: Florian Roth (rule), Jonhnathan Ribeiro
date: 2017/03/05
logsource:
    product: windows
    service: powershell
detection:
    convert_b64:
        Message|contains|all:
            - '-nop'
            - ' -w ' 
            - 'hidden' 
            - ' -c '
            - '[Convert]::FromBase64String'
    iex_selection:
        Message|contains|all:
            - ' -w ' 
            - 'hidden'
            - '-noni'
            - '-nop' 
            - ' -c '
            - 'iex'
            - 'New-Object'
    enc_selection:
        Message|contains|all:
            - ' -w ' 
            - 'hidden'
            - '-ep'
            - 'bypass'
            - '-Enc'
    reg_selection:
        Message|contains|all:
            - 'powershell' 
            - 'reg'
            - 'add'
            - 'HKCU\software\microsoft\windows\currentversion\run'
    webclient_selection:
        Message|contains|all:
            - 'bypass' 
            - '-noprofile'
            - '-windowstyle'
            - 'hidden'
            - 'new-object'
            - 'system.net.webclient'
            - '.download'
    iex_webclient:
        Message|contains|all:
            - 'iex'
            - 'New-Object'
            - 'Net.WebClient'
            - '.Download'
    condition: 1 of them
falsepositives:
    - Penetration tests
level: high
Sysmon as 'service' of product 'windows' 2017-03-13 09:23:08 +01:00			`title: Suspicious PowerShell Invocations - Specific`
Added UUIDs to rules 2019-11-12 23:12:27 +01:00			`id: fce5f582-cc00-41e1-941a-c6fabf0fdb8c`
More PowerShell rules 2017-03-05 15:01:51 +01:00			`status: experimental`
			`description: Detects suspicious PowerShell invocation command parameters`
Tagged windows powershell, other and malware rules. 2018-07-24 10:56:41 +02:00			`tags:`
			`- attack.execution`
Initial round of subtechnique updates 2020-06-16 14:46:08 -06:00			`- attack.t1059.001`
windows/powershell folder reviewed. Old ID’s marked with comment “an old one”. These ID’s have to be removed in future. 2020-08-24 00:01:50 +00:00			`- attack.t1086 #an old one`
Improve Logic 2020-11-20 01:22:20 -03:00			`author: Florian Roth (rule), Jonhnathan Ribeiro`
fix: fixed missing date fields in remaining files 2020-01-30 16:07:37 +01:00			`date: 2017/03/05`
More PowerShell rules 2017-03-05 15:01:51 +01:00			`logsource:`
Bugfix: PowerShell rules log source inconstency 2017-03-21 10:22:13 +01:00			`product: windows`
			`service: powershell`
More PowerShell rules 2017-03-05 15:01:51 +01:00			`detection:`
Improve Logic 2020-11-20 01:22:20 -03:00			`convert_b64:`
			`Message\|contains\|all:`
			`- '-nop'`
			`- ' -w '`
			`- 'hidden'`
			`- ' -c '`
			`- '[Convert]::FromBase64String'`
			`iex_selection:`
			`Message\|contains\|all:`
			`- ' -w '`
			`- 'hidden'`
			`- '-noni'`
			`- '-nop'`
			`- ' -c '`
			`- 'iex'`
			`- 'New-Object'`
			`enc_selection:`
			`Message\|contains\|all:`
			`- ' -w '`
			`- 'hidden'`
			`- '-ep'`
			`- 'bypass'`
			`- '-Enc'`
			`reg_selection:`
			`Message\|contains\|all:`
			`- 'powershell'`
			`- 'reg'`
			`- 'add'`
			`- 'HKCU\software\microsoft\windows\currentversion\run'`
			`webclient_selection:`
			`Message\|contains\|all:`
			`- 'bypass'`
			`- '-noprofile'`
			`- '-windowstyle'`
			`- 'hidden'`
			`- 'new-object'`
			`- 'system.net.webclient'`
			`- '.download'`
			`iex_webclient:`
			`Message\|contains\|all:`
			`- 'iex'`
			`- 'New-Object'`
			`- 'Net.WebClient'`
			`- '.Download'`
			`condition: 1 of them`
More PowerShell rules 2017-03-05 15:01:51 +01:00			`falsepositives:`
			`- Penetration tests`
			`level: high`