Detection rules › Sigma
Suspicious PowerShell Parameter Substring
Detects suspicious PowerShell invocation with a parameter substring
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Execution | T1059.001 Command and Scripting Interpreter: PowerShell |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 1 | Process creation |
| Security-Auditing | 4688 | A new process has been created. |
Stages and Predicates
Stage 1: selection
or:
CommandLine|contains: ' -NoPr '
CommandLine|contains: ' -NoPro '
CommandLine|contains: ' -NoProf '
CommandLine|contains: ' -NoProfi '
CommandLine|contains: ' -NoProfil '
CommandLine|contains: ' -ec '
CommandLine|contains: ' -en '
CommandLine|contains: ' -enco '
CommandLine|contains: ' -encod '
CommandLine|contains: ' -encode '
CommandLine|contains: ' -encoded '
CommandLine|contains: ' -encodedC '
CommandLine|contains: ' -encodedCo '
CommandLine|contains: ' -encodedCom '
CommandLine|contains: ' -encodedComm '
CommandLine|contains: ' -encodedComma '
CommandLine|contains: ' -encodedComman '
CommandLine|contains: ' -ep bypass'
CommandLine|contains: ' -ex bypass'
CommandLine|contains: ' -exe bypass'
CommandLine|contains: ' -exec bypass'
CommandLine|contains: ' -execu bypass'
CommandLine|contains: ' -execut bypass'
CommandLine|contains: ' -executi bypass'
CommandLine|contains: ' -executio bypass'
CommandLine|contains: ' -execution bypass'
CommandLine|contains: ' -executionp '
CommandLine|contains: ' -executionpo '
CommandLine|contains: ' -executionpol '
CommandLine|contains: ' -executionpoli '
CommandLine|contains: ' -executionpolic '
CommandLine|contains: ' -nonin '
CommandLine|contains: ' -nonint '
CommandLine|contains: ' -noninte '
CommandLine|contains: ' -noninter '
CommandLine|contains: ' -nonintera '
CommandLine|contains: ' -noninterac '
CommandLine|contains: ' -noninteract '
CommandLine|contains: ' -noninteracti '
CommandLine|contains: ' -noninteractiv '
CommandLine|contains: ' -wi h'
CommandLine|contains: ' -win h '
CommandLine|contains: ' -win h'
CommandLine|contains: ' -win hi '
CommandLine|contains: ' -win hid '
CommandLine|contains: ' -win hidd '
CommandLine|contains: ' -win hidde '
CommandLine|contains: ' -wind h'
CommandLine|contains: ' -windo h'
CommandLine|contains: ' -windows h'
CommandLine|contains: ' -windowst h'
CommandLine|contains: ' -windowsty h'
CommandLine|contains: ' -windowstyl h'
CommandLine|contains: ' -windowstyle h '
CommandLine|contains: ' /NoPr '
CommandLine|contains: ' /NoPro '
CommandLine|contains: ' /NoProf '
CommandLine|contains: ' /NoProfi '
CommandLine|contains: ' /NoProfil '
CommandLine|contains: ' /ec '
CommandLine|contains: ' /en '
CommandLine|contains: ' /enco '
CommandLine|contains: ' /encod '
CommandLine|contains: ' /encode '
CommandLine|contains: ' /encoded '
CommandLine|contains: ' /encodedC '
CommandLine|contains: ' /encodedCo '
CommandLine|contains: ' /encodedCom '
CommandLine|contains: ' /encodedComm '
CommandLine|contains: ' /encodedComma '
CommandLine|contains: ' /encodedComman '
CommandLine|contains: ' /ep bypass'
CommandLine|contains: ' /ex bypass'
CommandLine|contains: ' /exe bypass'
CommandLine|contains: ' /exec bypass'
CommandLine|contains: ' /execu bypass'
CommandLine|contains: ' /execut bypass'
CommandLine|contains: ' /executi bypass'
CommandLine|contains: ' /executio bypass'
CommandLine|contains: ' /execution bypass'
CommandLine|contains: ' /executionp '
CommandLine|contains: ' /executionpo '
CommandLine|contains: ' /executionpol '
CommandLine|contains: ' /executionpoli '
CommandLine|contains: ' /executionpolic '
CommandLine|contains: ' /nonin '
CommandLine|contains: ' /nonint '
CommandLine|contains: ' /noninte '
CommandLine|contains: ' /noninter '
CommandLine|contains: ' /nonintera '
CommandLine|contains: ' /noninterac '
CommandLine|contains: ' /noninteract '
CommandLine|contains: ' /noninteracti '
CommandLine|contains: ' /noninteractiv '
CommandLine|contains: ' /wi h'
CommandLine|contains: ' /win h '
CommandLine|contains: ' /win h'
CommandLine|contains: ' /win hi '
CommandLine|contains: ' /win hid '
CommandLine|contains: ' /win hidd '
CommandLine|contains: ' /win hidde '
CommandLine|contains: ' /wind h'
CommandLine|contains: ' /windo h'
CommandLine|contains: ' /windows h'
CommandLine|contains: ' /windowst h'
CommandLine|contains: ' /windowsty h'
CommandLine|contains: ' /windowstyl h'
CommandLine|contains: ' /windowstyle h '
or:
Image|endswith: '\powershell.exe'
Image|endswith: '\pwsh.exe'
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
CommandLine | match |
|
Image | ends_with |
|