- title: Suspicious PowerShell Invocations - Generic
id: 3d304fda-78aa-43ed-975c-d740798a49c1
status: experimental
description: Detects suspicious PowerShell invocation command parameters
tags:
- attack.execution
- attack.t1086
author: Florian Roth (rule)
logsource:
product: windows
service: powershell
category: null
detection:
encoded:
- ' -enc '
- ' -EncodedCommand '
hidden:
- ' -w hidden '
- ' -window hidden '
- ' - windowstyle hidden '
noninteractive:
- ' -noni '
- ' -noninteractive '
condition: all of them
falsepositives:
- Penetration tests
- Very special / sneaky PowerShell scripts
level: high
In [ ]:
from elasticsearch import Elasticsearch
from elasticsearch_dsl import Search
import pandas as pd
In [ ]:
es = Elasticsearch(['http://helk-elasticsearch:9200'])
searchContext = Search(using=es, index='logs-endpoint-winevent-powershell-*', doc_type='doc')
In [ ]:
s = searchContext.query('query_string', query='(\*.keyword:(*\ \-enc\ * OR *\ \-EncodedCommand\ *) AND \*.keyword:(*\ \-w\ hidden\ * OR *\ \-window\ hidden\ * OR *\ \-\ windowstyle\ hidden\ *) AND \*.keyword:(*\ \-noni\ * OR *\ \-noninteractive\ *))')
response = s.execute()
if response.success():
df = pd.DataFrame((d.to_dict() for d in s.scan()))
In [ ]:
df.head()