title: Suspicious PowerShell Command Line
id: d7bcd677-645d-4691-a8d4-7a5602b780d1
description: Detects the PowerShell command lines with special characters
status: experimental
references:
    - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=64
tags:
    - attack.defense_evasion
    - attack.t1027
    - attack.execution
    - attack.t1059.001
author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community
date: 2020/10/15
logsource:
    category: process_creation
    product: windows
detection:
    selection1:
        Image|endswith: '\powershell.exe'
        CommandLine|re: '.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*'
    selection2:
        Image|endswith: '\powershell.exe'
        CommandLine|re: '.*\{.*\{.*\{.*\{.*\{.*\{.*\{.*\{.*\{.*\{.*'
    selection3:
        Image|endswith: '\powershell.exe'
        CommandLine|re: '.*{.*{.*{.*{.*{.*'
    selection4:
        Image|endswith: '\powershell.exe'
        CommandLine|re: '.*\^.*\^.*\^.*\^.*\^.*'
    selection5:
        Image|endswith: '\powershell.exe'
        CommandLine|re: '.*`.*`.*`.*`.*`.*'
    condition: selection1 or selection2 or selection3 or selection4 or selection5
falsepositives:
    - Unlikely
level: high