Techniques
Sample rules
Suspicious PowerShell IEX Execution Patterns
- source: sigma
- technicques:
- t1059
- t1059.001
Description
Detects suspicious ways to run Invoke-Execution using IEX alias
Detection logic
condition: all of selection_combined_* or selection_standalone
selection_combined_1:
CommandLine|contains:
- ' | iex;'
- ' | iex '
- ' | iex}'
- ' | IEX ;'
- ' | IEX -Error'
- ' | IEX (new'
- ');IEX '
Image|endswith:
- \powershell.exe
- \pwsh.exe
selection_combined_2:
CommandLine|contains:
- ::FromBase64String
- '.GetString([System.Convert]::'
selection_standalone:
CommandLine|contains:
- )|iex;$
- );iex($
- );iex $
- ' | IEX | '
- ' | iex\"'