[rule] description = """ Identifies the execution of PowerShell with suspicious argument values. This behavior is often observed during malware installation leveraging PowerShell. """ id = "65784f6e-247a-466b-bbfb-cd92024f7e82" license = "Elastic License v2" name = "Suspicious PowerShell Execution" os_list = ["windows"] reference = [ "https://www.elastic.co/security-labs/dipping-into-danger", "https://www.elastic.co/security-labs/doing-time-with-the-yipphb-dropper", "https://www.elastic.co/security-labs/unmasking-financial-services-intrusion-ref0657", ] version = "1.0.43" query = ''' process where event.action == "start" and process.name : "powershell.exe" and not user.id : "S-1-5-18" and /* following exclusions are covered by other rules - Suspicious Execution via Windows Management Instrumentation - Suspicious Windows Schedule Child Process - PowerShell Obfuscation Spawned via Microsoft Office - Suspicious PowerShell Execution via Windows Scripts */ not (process.parent.executable : ("?:\\Windows\\System32\\svchost.exe", "?:\\Windows\\System32\\wbem\\WmiPrvSe.exe", "?:\\Program Files\\*.exe", "?:\\Program Files (x86)\\*.exe", "?:\\Users\\*\\AppData\\Local\\gitkraken\\app-*\\gitkraken.exe", "?:\\Windows\\System32\\taskeng.exe", "?:\\Windows\\cybercnsagent\\cybercnsagent.exe", "?:\\Windows\\SysWOW64\\WindowsPowerShell\\*\\powershell_ise.exe", "?:\\Windows\\System32\\WindowsPowerShell\\*\\powershell_ise.exe", "?:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Platform\\*\\SenseIR.exe") and not process.parent.name : "java.exe") and not process.parent.name : ("wscript.exe", "cscript.exe") and not (process.args:"-NonInteractive" and process.args :"-InputFormat") and not (process.args : ("RemoteSigned", "-ExecutionPolicy", "write-host") and not process.parent.name : ("explorer.exe", "python.exe", "cmd.exe")) and not process.args : "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('cGFzc3dvcmQ='))" and not (process.command_line : "*echo ~/.ansible/tmp/ansible-tmp*" and process.parent.executable : "C:\\Windows\\System32\\OpenSSH\\sshd.exe") and not process.command_line : ("*ConvertTo-Json*Write-Host*", "*BrowserExtension.dll*WebCompanion.BrowserExtension*", "*-ExecutionPolicy*Write-Verbose*", "*webClient.Headers.add*", "*System.Management.Automation.Host.Size*", "*JABQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQ*", "*chocolatey.org*", "*Get-WmiObject*", "*artifacts.elastic.co*", "*officecdn.microsoft.com*", "*CgAgACAAIAAgACAAIAAgACAAJABTAGMAcgBpAHAAdAAgACA*", "*Program Files*", "*).Access.IdentityReference;$defaults*", "*https://repo.maven.apache.org*", "*\\CSIWorking\\system\\WinSCP\\winscp.com*", "*@Files.onetech.cc*", "*Register-AzureADConnectHealthADDSAgent*", "*\\ProgramData\\Microsoft\\LogConverter\\*", "*WinSCP.com*", "*SNC_isWmi*", "*--app-id=memtime-*", "*BkAGEAdABhAGIAYQBzAGUALgB3AGkAbgBkAG8AdwBzAC4AbgBlAHQA*", "*FsAdgBlAHIAcwBpAG8AbgBdACQAbQBpAG4AaQBtAHUAbQBWAGUAcgBzAGkAbwBuACAAPQAgACcAMgAuADIALgAwACcA*", "*https://tshf.sas.com/techsup/download/hotfix/*", "*scripts\\buildsystems\\msbuild*", "*.vscode\\extensions\\ms-dynamics-smb*", "*$ErrorActionPreference*$adsiMember*", "*$ErrorActionPreference*$rgx_log4j*", "*$env:APPDATA\"+'\\Browser Assistant\\*", "*APPDATA\"+'/Browser Extension/BE.txt*", "*$env:APPDATA\"+'/BBWC/*", "*ReadAllBytes($w+'Newtonsoft.Json.dll*") and not (process.parent.name : "cmd.exe" and (process.parent.command_line : "*\\WindowsPowershell\\*\\powershell*" or process.parent.args : ("-Command", "-OutputFormat", "-InputFormat"))) and not process.parent.name : "powershell.exe" and not (process.parent.executable : "C:\\Windows\\System32\\msiexec.exe" and process.args : "https://go.microsoft.com/fwlink/p/?LinkId=*" and process.args :"$env:TEMP\\MicrosoftEdgeWebview2Setup.exe") and not process.args : "chcp 65001;[System.Reflection.Assembly]::LoadWithPartialName('System.Drawing');(New-Object System.Drawing.Text.InstalledFontCollection).Families" and ( process.command_line : ( "*^*^*^*^*^*^*^*^*^*", "*`*`*`*`*", "*+*+*+*+*+*+*", "*[char[]](*)*-join*", "*Base64String*", "*[*Convert]*", "*.Compression.*", "*-join($*", "*.replace*", "*MemoryStream*", "*WriteAllBytes*", "* -enc *", "* -ec *", "* /e *", "* /enc *", "* /ec *", "*WebClient*", "*DownloadFile*", "*DownloadString*", "* iex*", "* iwr*", "* aQB3AHIAIABpA*", "*Reflection.Assembly*", "*Assembly.GetType*", "*$env:temp\\*start*", "*powercat*", "*nslookup -q=txt*", "*$host.UI.PromptForCredential*", "*Net.Sockets.TCPClient*", "*curl *;Start*", "powershell.exe \"<#*", "*ssh -p *", "*http*|iex*", "*@SSL\\DavWWWRoot\\*.ps1*", "*.lnk*.Seek(0x*", "*[string]::join(*", "*[Array]::Reverse($*", "* hidden $(gc *", "*=wscri& set*", "*http'+'s://*", "*.content|i''Ex*", "*//:sptth*", "*//:ptth*", "*h''t''t''p*", "*'tp'':''/'*", "*$env:T\"E\"MP*", "*;cmd /c $?", "*s''t''a''r*", "*$*=Get-Content*AppData*.SubString(*$*", "*=cat *AppData*.substring(*);*$*", "*-join'';*|powershell*", "*.Content;sleep *|powershell*", "*h\''t\''tp:\''*", "*-e aQB3AHIAIABp*", "*iwr *https*).Content*", "*$env:computername*http*", "*;InVoKe-ExpRESsIoN $COntent.CONTENt;*", "*WebClient*example.com*", "*=iwr $*;iex $*" ) or (process.args : "-c" and process.args : "&{'*") or (process.args : "-Outfile" and process.args : "Start*") or (process.args : "-bxor" and process.args : "0x*") or process.args : "$*$*;set-alias" or (process.command_line : ("*-encodedCommand*", "*Invoke-webrequest*", "*WebClient*", "*Reflection.Assembly*") and (process.parent.name : ("explorer.exe", "python.exe") or (process.parent.name : "cmd.exe" and descendant of [process where event.action == "start" and process.name : ("explorer.exe", "python.exe")]))) ) ''' min_endpoint_version = "7.15.0" [[actions]] action = "kill_process" field = "process.entity_id" state = 0 [[optional_actions]] action = "rollback" field = "process.entity_id" state = 0 [[threat]] framework = "MITRE ATT&CK" [[threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" [[threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" [threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/" [internal] min_endpoint_version = "7.15.0"