Detection Series: #6 Suspicious PowerShell Commands
PowerShell whilst a PowerFull tool for IT admins can be used by adversaries for bad intentions. What makes PowerShell commands more difficult to detect is that you can shorten the parameters as long as there is no conflicting powershell. For example -NoProfile can also be written as -NoP
The best way to detect shortened versions is through regex. The following logic would be useful
Where process is powershell
+
Command Line contains regex for parameter variations
SIGMA RULE FOR GITHUB
title: Regex for PowerShell commands Variations
id: 6bf73a3c-675c-4291-baaa-c515c57b0ef0
status: experimental
description: Using regex this detects when variations of parameters that attackers commonly use within PowerShell are called.
references:
- https://attack.mitre.org/techniques/T1036/003/
author: GitHub @TripleAAACyberSecurity . Twitter @AAACyber1
date: 2021/11/01
modified:
tags:
- attack.defense.evasion
- attack.t1036.003
logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
CommandLine|re: '(?i)-(e[ncoded]{0,6}[command]{0,7}|Noni[nteractive]{0,10}|w[indowstyle] hidden|Nop[rofile]{0,6}|E[xecution]{0,8}[Policy]{0,6} Bypass)\b'
condition: selection
falsepositives:
- Legitimate Admin Activity. Needs tuning to its environment due to its wide catchment.
level: low
Here are some queries adapted to several SIEMS and tools for you to utilize
Elastic
(process.executable.text:(*\\powershell.exe OR *\\pwsh.exe) AND process.command_line.text:/(?i)-(e[ncoded]{0,6}[command]{0,7}|Noni[nteractive]{0,10}|w[indowstyle] hidden|Nop[rofile]{0,6}|E[xecution]{0,8}[Policy]{0,6} Bypass)\b/)
AWS Open Search
(process.executable.text:(*\\powershell.exe OR *\\pwsh.exe) AND process.command_line.text:/(?i)-(e[ncoded]{0,6}[command]{0,7}|Noni[nteractive]{0,10}|w[indowstyle] hidden|Nop[rofile]{0,6}|E[xecution]{0,8}[Policy]{0,6} Bypass)\b/)
Crowdstrike
((ImageFileName="*\\powershell.exe" OR ImageFileName="*\\pwsh.exe") AND (regex field=CommandLine "(?i)-(e[ncoded]{0,6}[command]{0,7}|Noni[nteractive]{0,10}|w[indowstyle] hidden|Nop[rofile]{0,6}|E[xecution]{0,8}[Policy]{0,6} Bypass)\b" OR regex field=CommandHistory "(?i)-(e[ncoded]{0,6}[command]{0,7}|Noni[nteractive]{0,10}|w[indowstyle] hidden|Nop[rofile]{0,6}|E[xecution]{0,8}[Policy]{0,6} Bypass)\b"))
Carbon Black
(process_name:(*\\powershell.exe OR *\\pwsh.exe) AND process_cmdline:/(?i)-(e[ncoded]{0,6}[command]{0,7}|Noni[nteractive]{0,10}|w[indowstyle] hidden|Nop[rofile]{0,6}|E[xecution]{0,8}[Policy]{0,6} Bypass)\b/)
Snowflake
SELECT * FROM windows WHERE (process.executable ILIKE "%\\powershell.exe" OR process.executable ILIKE "%\\pwsh.exe") AND regexp_like(process.command_line, '(?i)-(e[ncoded]{0,6}[command]{0,7}|Noni[nteractive]{0,10}|w[indowstyle] hidden|Nop[rofile]{0,6}|E[xecution]{0,8}[Policy]{0,6} Bypass)\b' 'i')
Please see the link to the sigma rule here. Any crediting back to here is much appreciated
https://github.com/TripleAAACyberSecurity/SIGMA_Detections/blob/main/6%20Regex%20for%20PowerShell%20commands%20Variations.yml
References
https://attack.mitre.org/techniques/T1036/003/