title: Suspicious PowerShell Command Line
id: d7bcd677-645d-4691-a8d4-7a5602b780d1
status: test
description: Detects the PowerShell command lines with special characters
author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community
references:
  - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=64
date: 2020/10/15
modified: 2021/11/27
logsource:
  category: process_creation
  product: windows
detection:
  selection1:
    Image|endswith: '\powershell.exe'
    CommandLine|re: '.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*'
  selection2:
    Image|endswith: '\powershell.exe'
    CommandLine|re: '.*\{.*\{.*\{.*\{.*\{.*\{.*\{.*\{.*\{.*\{.*'
  selection3:
    Image|endswith: '\powershell.exe'
    CommandLine|re: '.*{.*{.*{.*{.*{.*'
  selection4:
    Image|endswith: '\powershell.exe'
    CommandLine|re: '.*\^.*\^.*\^.*\^.*\^.*'
  selection5:
    Image|endswith: '\powershell.exe'
    CommandLine|re: '.*`.*`.*`.*`.*`.*'
  condition: selection1 or selection2 or selection3 or selection4 or selection5
falsepositives:
  - Unlikely
level: high
tags:
  - attack.defense_evasion
  - attack.t1027
  - attack.execution
  - attack.t1059.001