[rule] description = """ Detects the execution of Powershell (pwsh) with the encoded command flag set in the process arguments, in conjunction with an unusual process command line length. Powershell usage on Linux is rare, and the usage of encoded commands with unusual lengths is through Powershell may indicate malicious behavior. """ id = "cd6e64ec-2890-4bd8-9d07-bef06465b06f" license = "Elastic License v2" name = "Linux Powershell Encoded Command" os_list = ["linux"] version = "1.0.11" query = ''' process where event.action == "exec" and event.type == "start" and process.name == "pwsh" and process.args : ("-EncodedCommand", "-enc", "-E") and process.args : ("-nop", "-noprofile") and length(process.command_line) >= 100 and not ( process.parent.name in ("node", "code", "code-insiders") or process.parent.args : "*Invoke-Pester*" or process.parent.executable like "/data/user/docker/*" or process.parent.executable in ("/usr/lib/electron30/electron", "/usr/lib/electron32/electron") or ( process.args == "IAAoAEcAZQB0AC0ASABvAHMAdAApAC4AVgBlAHIAcwBpAG8AbgAuAFQAbwBTAHQAcgBpAG4AZwAoACkAIAA=" and process.parent.args == "Invoke-LightRail.ps1" ) or process.args like~ "JABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAnAFMAdABvAHAAJwAKAFsAdgBlAHIAcwBp*" ) ''' min_endpoint_version = "7.15.0" optional_actions = [] [[actions]] action = "kill_process" field = "process.entity_id" state = 0 [[threat]] framework = "MITRE ATT&CK" [[threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" [[threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" [threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" [internal] min_endpoint_version = "7.15.0"