Detection Series: #6 Suspicious PowerShell Commands

PowerShell whilst a PowerFull tool for IT admins can be used by adversaries for bad intentions. What makes PowerShell commands more difficult to detect is that you can shorten the parameters as long as there is no conflicting powershell. For example -NoProfile can also be written as -NoP

The best way to detect shortened versions is through regex. The following logic would be useful

Where process is powershell
+
Command Line contains regex for parameter variations

SIGMA RULE FOR GITHUB

title: Regex for PowerShell commands Variations
id: 6bf73a3c-675c-4291-baaa-c515c57b0ef0
status: experimental
description: Using regex this detects when variations of parameters that attackers commonly use within PowerShell are called.
references:
- https://attack.mitre.org/techniques/T1036/003/
author: GitHub @TripleAAACyberSecurity . Twitter @AAACyber1
date: 2021/11/01
modified:
tags:
- attack.defense.evasion
- attack.t1036.003
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
CommandLine|re: '(?i)-(e[ncoded]{0,6}[command]{0,7}|Noni[nteractive]{0,10}|w[indowstyle] hidden|Nop[rofile]{0,6}|E[xecution]{0,8}[Policy]{0,6} Bypass)\b'
condition: selection
falsepositives:
- Legitimate Admin Activity. Needs tuning to its environment due to its wide catchment.
level: low

Here are some queries adapted to several SIEMS and tools for you to utilize

Elastic
(process.executable.text:(*\\powershell.exe OR *\\pwsh.exe) AND process.command_line.text:/(?i)-(e[ncoded]{0,6}[command]{0,7}|Noni[nteractive]{0,10}|w[indowstyle] hidden|Nop[rofile]{0,6}|E[xecution]{0,8}[Policy]{0,6} Bypass)\b/)

AWS Open Search
(process.executable.text:(*\\powershell.exe OR *\\pwsh.exe) AND process.command_line.text:/(?i)-(e[ncoded]{0,6}[command]{0,7}|Noni[nteractive]{0,10}|w[indowstyle] hidden|Nop[rofile]{0,6}|E[xecution]{0,8}[Policy]{0,6} Bypass)\b/)

Crowdstrike
((ImageFileName="*\\powershell.exe" OR ImageFileName="*\\pwsh.exe") AND (regex field=CommandLine "(?i)-(e[ncoded]{0,6}[command]{0,7}|Noni[nteractive]{0,10}|w[indowstyle] hidden|Nop[rofile]{0,6}|E[xecution]{0,8}[Policy]{0,6} Bypass)\b" OR regex field=CommandHistory "(?i)-(e[ncoded]{0,6}[command]{0,7}|Noni[nteractive]{0,10}|w[indowstyle] hidden|Nop[rofile]{0,6}|E[xecution]{0,8}[Policy]{0,6} Bypass)\b"))

Carbon Black
(process_name:(*\\powershell.exe OR *\\pwsh.exe) AND process_cmdline:/(?i)-(e[ncoded]{0,6}[command]{0,7}|Noni[nteractive]{0,10}|w[indowstyle] hidden|Nop[rofile]{0,6}|E[xecution]{0,8}[Policy]{0,6} Bypass)\b/)

Snowflake
SELECT * FROM windows WHERE (process.executable ILIKE "%\\powershell.exe" OR process.executable ILIKE "%\\pwsh.exe") AND regexp_like(process.command_line, '(?i)-(e[ncoded]{0,6}[command]{0,7}|Noni[nteractive]{0,10}|w[indowstyle] hidden|Nop[rofile]{0,6}|E[xecution]{0,8}[Policy]{0,6} Bypass)\b' 'i')

Please see the link to the sigma rule here. Any crediting back to here is much appreciated

https://github.com/TripleAAACyberSecurity/SIGMA_Detections/blob/main/6%20Regex%20for%20PowerShell%20commands%20Variations.yml

References
https://attack.mitre.org/techniques/T1036/003/