title: Suspicious PowerShell Invocations - Generic
ruletype: Sigma
author: Florian Roth (rule)
date: 2017/03/12
description: Detects suspicious PowerShell invocation command parameters
detection:
  SELECTION_1:
  - ' -enc '
  - ' -EncodedCommand '
  SELECTION_2:
  - ' -w hidden '
  - ' -window hidden '
  - ' -windowstyle hidden '
  SELECTION_3:
  - ' -noni '
  - ' -noninteractive '
  condition: ((SELECTION_1) and (SELECTION_2) and (SELECTION_3))
falsepositives:
- Penetration tests
- Very special / sneaky PowerShell scripts
id: 3d304fda-78aa-43ed-975c-d740798a49c1
level: high
logsource:
  product: windows
  service: powershell
modified: 2021/12/02
status: deprecated
tags:
- attack.execution
- attack.t1059.001
- attack.t1086