other tools that work with encoded scripts in the command line instead of script files

t1059
t1059.001
windows
sigma

Techniques

t1059
t1059.001

Sample rules

Suspicious PowerShell Encoded Command Patterns

source: sigma
technicques:
- t1059
- t1059.001

Description

Detects PowerShell command line patterns in combincation with encoded commands that often appear in malware infection chains

Detection logic

condition: all of selection_* and not 1 of filter_*
filter_gcworker:
  ParentImage|contains:
  - C:\Packages\Plugins\Microsoft.GuestConfiguration.ConfigurationforWindows\
  - \gc_worker.exe
selection_encoded:
  CommandLine|contains:
  - ' JAB'
  - ' SUVYI'
  - ' SQBFAFgA'
  - ' aWV4I'
  - ' IAB'
  - ' PAA'
  - ' aQBlAHgA'
selection_flags:
  CommandLine|contains:
  - ' -e '
  - ' -en '
  - ' -enc '
  - ' -enco'
selection_img:
- Image|endswith:
  - \powershell.exe
  - \pwsh.exe
- OriginalFileName:
  - PowerShell.Exe
  - pwsh.dll