detection.wiki

Detection rules › Sigma

Suspicious PowerShell Invocations - Specific - ProcessCreation

Severity
medium
Author
Nasreddine Bencherchali (Nextron Systems)
Source
upstream

Detects suspicious PowerShell invocation command parameters

Event coverage

ProviderEvent IDTitle
Sysmon1Process creation
Security-Auditing4688A new process has been created.

Stages and Predicates

Stage 1: 1 of selection_convert_b64

CommandLine|contains: ' -c '
CommandLine|contains: ' -w '
CommandLine|contains: -nop
CommandLine|contains: '[Convert]::FromBase64String'
CommandLine|contains: hidden

Stage 2: 1 of selection_iex

CommandLine|contains: ' -c '
CommandLine|contains: ' -w '
CommandLine|contains: -noni
CommandLine|contains: -nop
CommandLine|contains: New-Object
CommandLine|contains: hidden
CommandLine|contains: iex

Stage 3: 1 of selection_enc

CommandLine|contains: ' -w '
CommandLine|contains: -Enc
CommandLine|contains: -ep
CommandLine|contains: bypass
CommandLine|contains: hidden

Stage 4: 1 of selection_reg

CommandLine|contains: '\software\'
CommandLine|contains: add
CommandLine|contains: powershell
CommandLine|contains: reg

Stage 5: 1 of selection_webclient

CommandLine|contains: -noprofile
CommandLine|contains: -windowstyle
CommandLine|contains: .download
CommandLine|contains: bypass
CommandLine|contains: hidden
CommandLine|contains: new-object
CommandLine|contains: system.net.webclient

Stage 6: 1 of selection_iex_webclient

CommandLine|contains: .Download
CommandLine|contains: Net.WebClient
CommandLine|contains: New-Object
CommandLine|contains: iex

Stage 7: not 1 of filter_chocolatey

or:
CommandLine|contains: '(New-Object System.Net.WebClient).DownloadString(''https://community.chocolatey.org/install.ps1'
CommandLine|contains: Write-ChocolateyWarning

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
CommandLinematch
  • -c corpus 11 (sigma 11)
  • -w
  • (New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1
  • -Enc
  • -ep
  • -noni
  • -nop
  • -noprofile
  • -windowstyle
  • .Download
  • .download
  • Net.WebClient
  • New-Object
  • Write-ChocolateyWarning
  • [Convert]::FromBase64String
  • \software\ corpus 2 (sigma 2)
  • add corpus 16 (sigma 16)
  • bypass corpus 2 (sigma 2)
  • hidden
  • iex corpus 2 (sigma 2)
  • new-object corpus 3 (sigma 3)
  • powershell corpus 16 (sigma 16)
  • reg corpus 4 (sigma 4)
  • system.net.webclient