Techniques
Sample rules
Suspicious Powershell In Registry Run Keys
- source: sigma
- technicques:
- t1547
- t1547.001
Description
Detects potential PowerShell commands or code within registry run keys
Detection logic
condition: selection
selection:
Details|contains:
- powershell
- 'pwsh '
- FromBase64String
- .DownloadFile(
- .DownloadString(
- ' -w hidden '
- ' -w 1 '
- -windowstyle hidden
- -window hidden
- ' -nop '
- ' -encodedcommand '
- -ExecutionPolicy Bypass
- Invoke-Expression
- IEX (
- Invoke-Command
- ICM -
- Invoke-WebRequest
- 'IWR '
- ' -noni '
- ' -noninteractive '
TargetObject|contains: \Software\Microsoft\Windows\CurrentVersion\Run