title: Suspicious PowerShell Parameter Combination
status: experimental
description: Detects suspicious PowerShell invocation command parameters
author: Florian Roth
logsource:
    product: windows
    service: sysmon
detection:
    keywords:
        - 'powershell'
    encoded:
        - ' -enc '
        - ' -EncodedCommand '
    hidden:
        - ' -w hidden '
        - ' -window hidden '
        - ' -windowstyle hidden '
    noninteractive:
        - ' -noni '
        - ' -noninteractive '
    condition: keywords and encoded and hidden and noninteractive
falsepositives:
    - Penetration tests
    - Very special / sneaky PowerShell scripts
level: high