title: Encoded PowerShell Command Line
id: cdf05894-89e7-4ead-b2b0-0a5f97a90f2f
description: Detects specific combinations of encoding methods in the PowerShell command lines
status: experimental
references:
    - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=65
tags:
    - attack.defense_evasion
    - attack.t1027
    - attack.execution
    - attack.t1059.001
author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community
date: 2020/10/11
logsource:
    category: process_creation
    product: windows
detection:
    selection1:
        Image|endswith: '\powershell.exe'
    selection2:
        CommandLine|all:
            - '*char*'
            - '*joint*'
    selection3:
        CommandLine|contains:
            - 'ToInt'
            - 'ToDecimal'
            - 'ToByte'
            - 'ToSingle'
            - 'ToSByte'
    selection4:
        CommandLine|contains:
            - 'ToChar'
            - 'ToString'
            - 'String'
    selection5:
        CommandLine|all:
            - '*split*'
            - '*join*'
    selection6:
        CommandLine|all:
            - '*ForEach*'
            - '*Xor*'
    selection7:
        CommandLine|contains:
            - 'cOnvErTTO-SECUreStRIng'
    condition: selection1 and (selection2 or (selection3 and selection4) or selection5 or selection6 or selection7)
falsepositives:
    - Unlikely
level: high