Permalink
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
23 lines (22 sloc) 762 Bytes
title: Suspicious PowerShell Invocations - Specific
status: experimental
description: Detects suspicious PowerShell invocation command parameters
tags:
- attack.execution
- attack.t1086
author: Florian Roth (rule)
logsource:
product: windows
service: powershell
detection:
keywords:
- ' -nop -w hidden -c * [Convert]::FromBase64String'
- ' -w hidden -noni -nop -c "iex(New-Object'
- ' -w hidden -ep bypass -Enc'
- 'powershell.exe reg add HKCU\software\microsoft\windows\currentversion\run'
- 'bypass -noprofile -windowstyle hidden (new-object system.net.webclient).download'
- 'iex(New-Object Net.WebClient).Download'
condition: keywords
falsepositives:
- Penetration tests
level: high