Suspicious PowerShell Parameter Substring

Hunt Hypothesis

Detects suspicious PowerShell invocation with a parameter substring

Detection Rule

Sigma (Original)

title: Suspicious PowerShell Parameter Substring
id: 36210e0d-5b19-485d-a087-c096088885f0
status: test
description: Detects suspicious PowerShell invocation with a parameter substring
references:
    - http://www.danielbohannon.com/blog-1/2017/3/12/powershell-execution-argument-obfuscation-how-it-can-make-detection-easier
author: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix)
date: 2019-01-16
modified: 2022-07-14
tags:
    - attack.execution
    - attack.t1059.001
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\powershell.exe'
            - '\pwsh.exe'
        CommandLine|contains:
            - ' -windowstyle h '
            - ' -windowstyl h'
            - ' -windowsty h'
            - ' -windowst h'
            - ' -windows h'
            - ' -windo h'
            - ' -wind h'
            - ' -win h'
            - ' -wi h'
            - ' -win h '
            - ' -win hi '
            - ' -win hid '
            - ' -win hidd '
            - ' -win hidde '
            - ' -NoPr '
            - ' -NoPro '
            - ' -NoProf '
            - ' -NoProfi '
            - ' -NoProfil '
            - ' -nonin '
            - ' -nonint '
            - ' -noninte '
            - ' -noninter '
            - ' -nonintera '
            - ' -noninterac '
            - ' -noninteract '
            - ' -noninteracti '
            - ' -noninteractiv '
            - ' -ec '
            - ' -encodedComman '
            - ' -encodedComma '
            - ' -encodedComm '
            - ' -encodedCom '
            - ' -encodedCo '
            - ' -encodedC '
            - ' -encoded '
            - ' -encode '
            - ' -encod '
            - ' -enco '
            - ' -en '
            - ' -executionpolic '
            - ' -executionpoli '
            - ' -executionpol '
            - ' -executionpo '
            - ' -executionp '
            - ' -execution bypass'
            - ' -executio bypass'
            - ' -executi bypass'
            - ' -execut bypass'
            - ' -execu bypass'
            - ' -exec bypass'
            - ' -exe bypass'
            - ' -ex bypass'
            - ' -ep bypass'
            - ' /windowstyle h '
            - ' /windowstyl h'
            - ' /windowsty h'
            - ' /windowst h'
            - ' /windows h'
            - ' /windo h'
            - ' /wind h'
            - ' /win h'
            - ' /wi h'
            - ' /win h '
            - ' /win hi '
            - ' /win hid '
            - ' /win hidd '
            - ' /win hidde '
            - ' /NoPr '
            - ' /NoPro '
            - ' /NoProf '
            - ' /NoProfi '
            - ' /NoProfil '
            - ' /nonin '
            - ' /nonint '
            - ' /noninte '
            - ' /noninter '
            - ' /nonintera '
            - ' /noninterac '
            - ' /noninteract '
            - ' /noninteracti '
            - ' /noninteractiv '
            - ' /ec '
            - ' /encodedComman '
            - ' /encodedComma '
            - ' /encodedComm '
            - ' /encodedCom '
            - ' /encodedCo '
            - ' /encodedC '
            - ' /encoded '
            - ' /encode '
            - ' /encod '
            - ' /enco '
            - ' /en '
            - ' /executionpolic '
            - ' /executionpoli '
            - ' /executionpol '
            - ' /executionpo '
            - ' /executionp '
            - ' /execution bypass'
            - ' /executio bypass'
            - ' /executi bypass'
            - ' /execut bypass'
            - ' /execu bypass'
            - ' /exec bypass'
            - ' /exe bypass'
            - ' /ex bypass'
            - ' /ep bypass'
    condition: selection
falsepositives:
    - Unknown
level: high

KQL (Azure Sentinel)

imProcessCreate
| where (TargetProcessName endswith "\\powershell.exe" or TargetProcessName endswith "\\pwsh.exe") and (TargetProcessCommandLine contains " -windowstyle h " or TargetProcessCommandLine contains " -windowstyl h" or TargetProcessCommandLine contains " -windowsty h" or TargetProcessCommandLine contains " -windowst h" or TargetProcessCommandLine contains " -windows h" or TargetProcessCommandLine contains " -windo h" or TargetProcessCommandLine contains " -wind h" or TargetProcessCommandLine contains " -win h" or TargetProcessCommandLine contains " -wi h" or TargetProcessCommandLine contains " -win h " or TargetProcessCommandLine contains " -win hi " or TargetProcessCommandLine contains " -win hid " or TargetProcessCommandLine contains " -win hidd " or TargetProcessCommandLine contains " -win hidde " or TargetProcessCommandLine contains " -NoPr " or TargetProcessCommandLine contains " -NoPro " or TargetProcessCommandLine contains " -NoProf " or TargetProcessCommandLine contains " -NoProfi " or TargetProcessCommandLine contains " -NoProfil " or TargetProcessCommandLine contains " -nonin " or TargetProcessCommandLine contains " -nonint " or TargetProcessCommandLine contains " -noninte " or TargetProcessCommandLine contains " -noninter " or TargetProcessCommandLine contains " -nonintera " or TargetProcessCommandLine contains " -noninterac " or TargetProcessCommandLine contains " -noninteract " or TargetProcessCommandLine contains " -noninteracti " or TargetProcessCommandLine contains " -noninteractiv " or TargetProcessCommandLine contains " -ec " or TargetProcessCommandLine contains " -encodedComman " or TargetProcessCommandLine contains " -encodedComma " or TargetProcessCommandLine contains " -encodedComm " or TargetProcessCommandLine contains " -encodedCom " or TargetProcessCommandLine contains " -encodedCo " or TargetProcessCommandLine contains " -encodedC " or TargetProcessCommandLine contains " -encoded " or TargetProcessCommandLine contains " -encode " or TargetProcessCommandLine contains " -encod " or TargetProcessCommandLine contains " -enco " or TargetProcessCommandLine contains " -en " or TargetProcessCommandLine contains " -executionpolic " or TargetProcessCommandLine contains " -executionpoli " or TargetProcessCommandLine contains " -executionpol " or TargetProcessCommandLine contains " -executionpo " or TargetProcessCommandLine contains " -executionp " or TargetProcessCommandLine contains " -execution bypass" or TargetProcessCommandLine contains " -executio bypass" or TargetProcessCommandLine contains " -executi bypass" or TargetProcessCommandLine contains " -execut bypass" or TargetProcessCommandLine contains " -execu bypass" or TargetProcessCommandLine contains " -exec bypass" or TargetProcessCommandLine contains " -exe bypass" or TargetProcessCommandLine contains " -ex bypass" or TargetProcessCommandLine contains " -ep bypass" or TargetProcessCommandLine contains " /windowstyle h " or TargetProcessCommandLine contains " /windowstyl h" or TargetProcessCommandLine contains " /windowsty h" or TargetProcessCommandLine contains " /windowst h" or TargetProcessCommandLine contains " /windows h" or TargetProcessCommandLine contains " /windo h" or TargetProcessCommandLine contains " /wind h" or TargetProcessCommandLine contains " /win h" or TargetProcessCommandLine contains " /wi h" or TargetProcessCommandLine contains " /win h " or TargetProcessCommandLine contains " /win hi " or TargetProcessCommandLine contains " /win hid " or TargetProcessCommandLine contains " /win hidd " or TargetProcessCommandLine contains " /win hidde " or TargetProcessCommandLine contains " /NoPr " or TargetProcessCommandLine contains " /NoPro " or TargetProcessCommandLine contains " /NoProf " or TargetProcessCommandLine contains " /NoProfi " or TargetProcessCommandLine contains " /NoProfil " or TargetProcessCommandLine contains " /nonin " or TargetProcessCommandLine contains " /nonint " or TargetProcessCommandLine contains " /noninte " or TargetProcessCommandLine contains " /noninter " or TargetProcessCommandLine contains " /nonintera " or TargetProcessCommandLine contains " /noninterac " or TargetProcessCommandLine contains " /noninteract " or TargetProcessCommandLine contains " /noninteracti " or TargetProcessCommandLine contains " /noninteractiv " or TargetProcessCommandLine contains " /ec " or TargetProcessCommandLine contains " /encodedComman " or TargetProcessCommandLine contains " /encodedComma " or TargetProcessCommandLine contains " /encodedComm " or TargetProcessCommandLine contains " /encodedCom " or TargetProcessCommandLine contains " /encodedCo " or TargetProcessCommandLine contains " /encodedC " or TargetProcessCommandLine contains " /encoded " or TargetProcessCommandLine contains " /encode " or TargetProcessCommandLine contains " /encod " or TargetProcessCommandLine contains " /enco " or TargetProcessCommandLine contains " /en " or TargetProcessCommandLine contains " /executionpolic " or TargetProcessCommandLine contains " /executionpoli " or TargetProcessCommandLine contains " /executionpol " or TargetProcessCommandLine contains " /executionpo " or TargetProcessCommandLine contains " /executionp " or TargetProcessCommandLine contains " /execution bypass" or TargetProcessCommandLine contains " /executio bypass" or TargetProcessCommandLine contains " /executi bypass" or TargetProcessCommandLine contains " /execut bypass" or TargetProcessCommandLine contains " /execu bypass" or TargetProcessCommandLine contains " /exec bypass" or TargetProcessCommandLine contains " /exe bypass" or TargetProcessCommandLine contains " /ex bypass" or TargetProcessCommandLine contains " /ep bypass")

Required Data Sources

Sentinel Table	Notes
`imProcessCreate`	Ensure this data connector is enabled

Suspicious PowerShell Parameter Substring

Hunt Hypothesis

Detection Rule

Sigma (Original)

KQL (Azure Sentinel)

Required Data Sources

False Positive Guidance

MITRE ATT&CK Context

References