28 lines
1.1 KiB
YAML
28 lines
1.1 KiB
YAML
title: Suspicious PowerShell Invocations - Specific
|
|
author: Florian Roth (rule), Jonhnathan Ribeiro
|
|
date: 2017/03/05
|
|
description: Detects suspicious PowerShell invocation command parameters
|
|
detection:
|
|
condition: (((( -w and hidden and ((-nop and -c and ([Convert]::FromBase64String
|
|
or (-noni and iex and New-Object))) or (-ep and bypass and -Enc))) or (powershell
|
|
and reg and add and HKCU\software\microsoft\windows\currentversion\run)) or
|
|
(bypass and -noprofile and -windowstyle and hidden and new-object and system.net.webclient
|
|
and .download)) or (iex and New-Object and Net.WebClient and .Download))
|
|
falsepositives:
|
|
- Penetration tests
|
|
id: fce5f582-cc00-41e1-941a-c6fabf0fdb8c
|
|
level: high
|
|
logsource:
|
|
definition: Script block logging must be enabled for 4104, Module Logging must
|
|
be enabled for 4103
|
|
product: windows
|
|
service: powershell
|
|
status: deprecated
|
|
tags:
|
|
- attack.execution
|
|
- attack.t1059.001
|
|
- attack.t1086
|
|
yml_filename: powershell_suspicious_invocation_specific.yml
|
|
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/deprecated
|
|
|