
Summary
This detection rule identifies suspicious PowerShell invocations by analyzing command parameters that could indicate potentially malicious or unauthorized use of PowerShell scripts. The focus is particularly on commands that include encoded or hidden script parameters. The rule has three primary detection selections: it checks for the presence of encoded command parameters such as ' -enc ', ' -EncodedCommand ', and ' -ec ', which are often used to obfuscate the content of a command. Additionally, it looks for parameters indicating attempts to hide a script window by searching for ' -w hidden ', ' -window hidden ', ' -windowstyle hidden ', ' -w 1 ', and checks for the non-interactive invocation of scripts with ' -noni ' and ' -noninteractive '. The condition to trigger detection requires that all specified selections match, increasing the likelihood that a detected invocation is indeed suspicious. To utilize this rule effectively, PowerShell Script Block Logging must be enabled on the monitored systems, ensuring that complete details of script invocations are captured for analysis.
Categories
- Endpoint
- Windows
Data Sources
- Process
- Application Log
Created: 2017-03-12