heroui logo

Suspicious Windows Powershell Arguments

Elastic Detection Rules

View Source
Summary
The rule "Suspicious Windows Powershell Arguments" aims to identify potentially malicious behavior associated with PowerShell execution on Windows systems. This detection is critical as malware often utilizes PowerShell with obfuscated or encoded commands to carry out malicious tasks, such as downloading payloads or executing scripts without the user's awareness. By focusing on suspicious argument values passed to PowerShell, the rule can effectively flag potential threats for further analysis, enabling security teams to investigate and respond quickly to possible breaches. The detection leverages various data sources, including Windows logs from Winlogbeat, Sysmon, SentinelOne, Microsoft Defender for Endpoint, and CrowdStrike, ensuring comprehensive coverage across different security environments.
Categories
  • Endpoint
  • Windows
Data Sources
  • Windows Registry
  • Process
  • File
  • Command
  • Logon Session
  • Application Log
  • Network Traffic
ATT&CK Techniques
  • T1059
  • T1059.001
Created: 2024-09-06