Techniques
Sample rules
Suspicious PowerShell Invocations - Generic - PowerShell Module
- source: sigma
- technicques:
- t1059
- t1059.001
Description
Detects suspicious PowerShell invocation command parameters
Detection logic
condition: all of selection*
selection_encoded:
ContextInfo|contains:
- ' -enc '
- ' -EncodedCommand '
- ' -ec '
selection_hidden:
ContextInfo|contains:
- ' -w hidden '
- ' -window hidden '
- ' -windowstyle hidden '
- ' -w 1 '
selection_noninteractive:
ContextInfo|contains:
- ' -noni '
- ' -noninteractive '
Suspicious PowerShell Invocations - Generic
- source: sigma
- technicques:
- t1059
- t1059.001
Description
Detects suspicious PowerShell invocation command parameters
Detection logic
condition: all of selection*
selection_encoded:
ScriptBlockText|contains:
- ' -enc '
- ' -EncodedCommand '
- ' -ec '
selection_hidden:
ScriptBlockText|contains:
- ' -w hidden '
- ' -window hidden '
- ' -windowstyle hidden '
- ' -w 1 '
selection_noninteractive:
ScriptBlockText|contains:
- ' -noni '
- ' -noninteractive '