detection.wiki

Detection rules › Sigma

Potential Encoded PowerShell Patterns In CommandLine

Severity
low
Author
Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton
Source
upstream

Detects specific combinations of encoding methods in PowerShell via the commandline

MITRE ATT&CK coverage

TacticTechniques
ExecutionT1059.001 Command and Scripting Interpreter: PowerShell
Defense EvasionT1027 Obfuscated Files or Information

Event coverage

ProviderEvent IDTitle
Sysmon1Process creation

Stages and Predicates

Stage 1: selection_img

or:
Image|endswith: '\powershell.exe'
Image|endswith: '\pwsh.exe'
OriginalFileName: PowerShell.EXE
OriginalFileName: pwsh.dll

Stage 2: all of selection_to_1

or:
CommandLine|contains: ToByte
CommandLine|contains: ToDecimal
CommandLine|contains: ToInt
CommandLine|contains: ToSByte
CommandLine|contains: ToSingle
CommandLine|contains: ToUint

Stage 3: all of selection_to_2

or:
CommandLine|contains: String
CommandLine|contains: ToChar
CommandLine|contains: ToString

Stage 4: 1 of selection_gen_1

CommandLine|contains: char
CommandLine|contains: join

Stage 5: 1 of selection_gen_2

CommandLine|contains: join
CommandLine|contains: split

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
CommandLinematch
  • String
  • ToByte
  • ToChar
  • ToDecimal
  • ToInt
  • ToSByte
  • ToSingle
  • ToString
  • ToUint
  • char
  • join
  • split
Imageends_with
  • \powershell.exe corpus 143 (sigma 143)
  • \pwsh.exe corpus 140 (sigma 140)
OriginalFileNameeq
  • PowerShell.EXE corpus 64 (sigma 60, splunk 4)
  • pwsh.dll corpus 72 (sigma 68, splunk 4)