Hub configuration

More info

1type: trigger

2name: sigmahq/proc_creation_win_powershell_susp_parameter_variation

3description: |

4 Detects suspicious PowerShell invocation with a parameter substring

5filter: |

6 (evt.Meta.service == 'sysmon' && evt.Parsed.EventID == '1') && ((evt.Parsed.Image endsWith '\\powershell.exe' || evt.Parsed.Image endsWith '\\pwsh.exe') && (evt.Parsed.CommandLine contains ' -windowstyle h ' || evt.Parsed.CommandLine contains ' -windowstyl h' || evt.Parsed.CommandLine contains ' -windowsty h' || evt.Parsed.CommandLine contains ' -windowst h' || evt.Parsed.CommandLine contains ' -windows h' || evt.Parsed.CommandLine contains ' -windo h' || evt.Parsed.CommandLine contains ' -wind h' || evt.Parsed.CommandLine contains ' -win h' || evt.Parsed.CommandLine contains ' -wi h' || evt.Parsed.CommandLine contains ' -win h ' || evt.Parsed.CommandLine contains ' -win hi ' || evt.Parsed.CommandLine contains ' -win hid ' || evt.Parsed.CommandLine contains ' -win hidd ' || evt.Parsed.CommandLine contains ' -win hidde ' || evt.Parsed.CommandLine contains ' -NoPr ' || evt.Parsed.CommandLine contains ' -NoPro ' || evt.Parsed.CommandLine contains ' -NoProf ' || evt.Parsed.CommandLine contains ' -NoProfi ' || evt.Parsed.CommandLine contains ' -NoProfil ' || evt.Parsed.CommandLine contains ' -nonin ' || evt.Parsed.CommandLine contains ' -nonint ' || evt.Parsed.CommandLine contains ' -noninte ' || evt.Parsed.CommandLine contains ' -noninter ' || evt.Parsed.CommandLine contains ' -nonintera ' || evt.Parsed.CommandLine contains ' -noninterac ' || evt.Parsed.CommandLine contains ' -noninteract ' || evt.Parsed.CommandLine contains ' -noninteracti ' || evt.Parsed.CommandLine contains ' -noninteractiv ' || evt.Parsed.CommandLine contains ' -ec ' || evt.Parsed.CommandLine contains ' -encodedComman ' || evt.Parsed.CommandLine contains ' -encodedComma ' || evt.Parsed.CommandLine contains ' -encodedComm ' || evt.Parsed.CommandLine contains ' -encodedCom ' || evt.Parsed.CommandLine contains ' -encodedCo ' || evt.Parsed.CommandLine contains ' -encodedC ' || evt.Parsed.CommandLine contains ' -encoded ' || evt.Parsed.CommandLine contains ' -encode ' || evt.Parsed.CommandLine contains ' -encod ' || evt.Parsed.CommandLine contains ' -enco ' || evt.Parsed.CommandLine contains ' -en ' || evt.Parsed.CommandLine contains ' -executionpolic ' || evt.Parsed.CommandLine contains ' -executionpoli ' || evt.Parsed.CommandLine contains ' -executionpol ' || evt.Parsed.CommandLine contains ' -executionpo ' || evt.Parsed.CommandLine contains ' -executionp ' || evt.Parsed.CommandLine contains ' -execution bypass' || evt.Parsed.CommandLine contains ' -executio bypass' || evt.Parsed.CommandLine contains ' -executi bypass' || evt.Parsed.CommandLine contains ' -execut bypass' || evt.Parsed.CommandLine contains ' -execu bypass' || evt.Parsed.CommandLine contains ' -exec bypass' || evt.Parsed.CommandLine contains ' -exe bypass' || evt.Parsed.CommandLine contains ' -ex bypass' || evt.Parsed.CommandLine contains ' -ep bypass' || evt.Parsed.CommandLine contains ' /windowstyle h ' || evt.Parsed.CommandLine contains ' /windowstyl h' || evt.Parsed.CommandLine contains ' /windowsty h' || evt.Parsed.CommandLine contains ' /windowst h' || evt.Parsed.CommandLine contains ' /windows h' || evt.Parsed.CommandLine contains ' /windo h' || evt.Parsed.CommandLine contains ' /wind h' || evt.Parsed.CommandLine contains ' /win h' || evt.Parsed.CommandLine contains ' /wi h' || evt.Parsed.CommandLine contains ' /win h ' || evt.Parsed.CommandLine contains ' /win hi ' || evt.Parsed.CommandLine contains ' /win hid ' || evt.Parsed.CommandLine contains ' /win hidd ' || evt.Parsed.CommandLine contains ' /win hidde ' || evt.Parsed.CommandLine contains ' /NoPr ' || evt.Parsed.CommandLine contains ' /NoPro ' || evt.Parsed.CommandLine contains ' /NoProf ' || evt.Parsed.CommandLine contains ' /NoProfi ' || evt.Parsed.CommandLine contains ' /NoProfil ' || evt.Parsed.CommandLine contains ' /nonin ' || evt.Parsed.CommandLine contains ' /nonint ' || evt.Parsed.CommandLine contains ' /noninte ' || evt.Parsed.CommandLine contains ' /noninter ' || evt.Parsed.CommandLine contains ' /nonintera ' || evt.Parsed.CommandLine contains ' /noninterac ' || evt.Parsed.CommandLine contains ' /noninteract ' || evt.Parsed.CommandLine contains ' /noninteracti ' || evt.Parsed.CommandLine contains ' /noninteractiv ' || evt.Parsed.CommandLine contains ' /ec ' || evt.Parsed.CommandLine contains ' /encodedComman ' || evt.Parsed.CommandLine contains ' /encodedComma ' || evt.Parsed.CommandLine contains ' /encodedComm ' || evt.Parsed.CommandLine contains ' /encodedCom ' || evt.Parsed.CommandLine contains ' /encodedCo ' || evt.Parsed.CommandLine contains ' /encodedC ' || evt.Parsed.CommandLine contains ' /encoded ' || evt.Parsed.CommandLine contains ' /encode ' || evt.Parsed.CommandLine contains ' /encod ' || evt.Parsed.CommandLine contains ' /enco ' || evt.Parsed.CommandLine contains ' /en ' || evt.Parsed.CommandLine contains ' /executionpolic ' || evt.Parsed.CommandLine contains ' /executionpoli ' || evt.Parsed.CommandLine contains ' /executionpol ' || evt.Parsed.CommandLine contains ' /executionpo ' || evt.Parsed.CommandLine contains ' /executionp ' || evt.Parsed.CommandLine contains ' /execution bypass' || evt.Parsed.CommandLine contains ' /executio bypass' || evt.Parsed.CommandLine contains ' /executi bypass' || evt.Parsed.CommandLine contains ' /execut bypass' || evt.Parsed.CommandLine contains ' /execu bypass' || evt.Parsed.CommandLine contains ' /exec bypass' || evt.Parsed.CommandLine contains ' /exe bypass' || evt.Parsed.CommandLine contains ' /ex bypass' || evt.Parsed.CommandLine contains ' /ep bypass'))

7blackhole: 2m

8#status: test

9labels:

10 service: windows

11 confidence: 1

12 spoofable: 0

13 classification:

14 - attack.t1059.001

16 label: "Suspicious PowerShell Parameter Substring"

17 behavior : "windows:audit"

18 remediation: false

20scope:

21 type: ParentProcessId

22 expression: evt.Parsed.ParentProcessId

Hub configuration

« proc_creation_win_powershell_susp_parameter_variation »v0.2 by sigmahqAttack scenarioservice:windowsspoofable:0MITRE:t1059confidence:1

« proc_creation_win_powershell_susp_parameter_variation »
v0.2 by sigmahq
Attack scenarioservice:windowsspoofable:0MITRE:t1059confidence:1