← Back to Explore
sigmahighHunting
Suspicious PowerShell Invocations - Specific - PowerShell Module
Detects suspicious PowerShell invocation command parameters
Detection Query
selection_convert_b64:
ContextInfo|contains|all:
- -nop
- " -w "
- hidden
- " -c "
- "[Convert]::FromBase64String"
selection_iex:
ContextInfo|contains|all:
- " -w "
- hidden
- -noni
- -nop
- " -c "
- iex
- New-Object
selection_enc:
ContextInfo|contains|all:
- " -w "
- hidden
- -ep
- bypass
- -Enc
selection_reg:
ContextInfo|contains|all:
- powershell
- reg
- add
ContextInfo|contains:
- \software\microsoft\windows\currentversion\run
- \software\wow6432node\microsoft\windows\currentversion\run
- \software\microsoft\windows\currentversion\policies\explorer\run
selection_webclient:
ContextInfo|contains|all:
- bypass
- -noprofile
- -windowstyle
- hidden
- new-object
- system.net.webclient
- .download
selection_iex_webclient:
ContextInfo|contains|all:
- iex
- New-Object
- Net.WebClient
- .Download
filter_chocolatey:
ContextInfo|contains:
- (New-Object
System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1
- Write-ChocolateyWarning
condition: 1 of selection_* and not 1 of filter_*
Author
Florian Roth (Nextron Systems), Jonhnathan Ribeiro
Created
2017-03-05
Data Sources
windowsps_module
Platforms
windows
References
Tags
attack.executionattack.t1059.001
Raw Content
title: Suspicious PowerShell Invocations - Specific - PowerShell Module
id: 8ff28fdd-e2fa-4dfa-aeda-ef3d61c62090
related:
- id: fce5f582-cc00-41e1-941a-c6fabf0fdb8c
type: obsolete
- id: ae7fbf8e-f3cb-49fd-8db4-5f3bed522c71
type: similar
- id: 536e2947-3729-478c-9903-745aaffe60d2
type: similar
status: test
description: Detects suspicious PowerShell invocation command parameters
references:
- Internal Research
- https://github.com/HackTricks-wiki/hacktricks/blob/e4c7b21b8f36c97c35b7c622732b38a189ce18f7/src/windows-hardening/windows-local-privilege-escalation/privilege-escalation-with-autorun-binaries.md
author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro
date: 2017-03-05
modified: 2025-02-17
tags:
- attack.execution
- attack.t1059.001
logsource:
product: windows
category: ps_module
definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
detection:
selection_convert_b64:
ContextInfo|contains|all:
- '-nop'
- ' -w '
- 'hidden'
- ' -c '
- '[Convert]::FromBase64String'
selection_iex:
ContextInfo|contains|all:
- ' -w '
- 'hidden'
- '-noni'
- '-nop'
- ' -c '
- 'iex'
- 'New-Object'
selection_enc:
ContextInfo|contains|all:
- ' -w '
- 'hidden'
- '-ep'
- 'bypass'
- '-Enc'
selection_reg:
ContextInfo|contains|all:
- 'powershell'
- 'reg'
- 'add'
ContextInfo|contains:
- '\software\microsoft\windows\currentversion\run'
- '\software\wow6432node\microsoft\windows\currentversion\run'
- '\software\microsoft\windows\currentversion\policies\explorer\run'
selection_webclient:
ContextInfo|contains|all:
- 'bypass'
- '-noprofile'
- '-windowstyle'
- 'hidden'
- 'new-object'
- 'system.net.webclient'
- '.download'
selection_iex_webclient:
ContextInfo|contains|all:
- 'iex'
- 'New-Object'
- 'Net.WebClient'
- '.Download'
filter_chocolatey:
ContextInfo|contains:
- "(New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1"
- 'Write-ChocolateyWarning'
condition: 1 of selection_* and not 1 of filter_*
falsepositives:
- Unknown
level: high